From 9ccc5e6d844b2f5cb0b11e75157d74ea784b54b2 Mon Sep 17 00:00:00 2001
From: Marius Vikhammer <marius.vikhammer@espressif.com>
Date: Thu, 26 Mar 2020 10:53:50 +0800
Subject: [PATCH] cert bundle: Fix memory leak during cert verification

Also refactors the unit tests and fixes the test case, as it was giving false positives.

Closes IDFGH-2950

Closes https://github.com/espressif/esp-idf/issues/4983
---
 components/mbedtls/CMakeLists.txt             |   1 +
 .../mbedtls/esp_crt_bundle/esp_crt_bundle.c   |  31 +--
 components/mbedtls/test/prvtkey.pem           |  50 ++---
 components/mbedtls/test/server_cert_bundle    | Bin 31227 -> 400 bytes
 components/mbedtls/test/server_cert_chain.pem |  79 ++------
 components/mbedtls/test/test_esp_crt_bundle.c | 178 ++++++++++--------
 6 files changed, 159 insertions(+), 180 deletions(-)

diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt
index 1f6f391411..37abd64355 100644
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@@ -1,4 +1,5 @@
 idf_build_get_property(idf_target IDF_TARGET)
+idf_build_get_property(python PYTHON)
 
 idf_component_register(SRCS "esp_crt_bundle/esp_crt_bundle.c"
     INCLUDE_DIRS "port/include" "mbedtls/include" "esp_crt_bundle/include"
diff --git a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
index 6d99f781ce..c03da8d9a8 100644
--- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
+++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
@@ -19,7 +19,6 @@
 #include "esp_log.h"
 #include "esp_err.h"
 
-
 #define BUNDLE_HEADER_OFFSET 2
 #define CRT_HEADER_OFFSET 4
 
@@ -43,45 +42,48 @@ typedef struct crt_bundle_t {
 static crt_bundle_t s_crt_bundle;
 
 static int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags);
-static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
+static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
 
 
-static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len)
+static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len)
 {
-    int ret = ESP_FAIL;
+    int ret = 0;
     mbedtls_x509_crt parent;
     const mbedtls_md_info_t *md_info;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
 
     mbedtls_x509_crt_init(&parent);
 
-    if ( (ret = mbedtls_pk_parse_public_key(&parent.pk , pub_key_buf, pub_key_len) ) != 0) {
+    if ( (ret = mbedtls_pk_parse_public_key(&parent.pk, pub_key_buf, pub_key_len) ) != 0) {
         ESP_LOGE(TAG, "PK parse failed with error %X", ret);
-        return ESP_FAIL;
+        goto cleanup;
     }
 
 
     // Fast check to avoid expensive computations when not necessary
     if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) {
         ESP_LOGE(TAG, "Simple compare failed");
-        return ESP_FAIL;
+        ret = -1;
+        goto cleanup;
     }
 
     md_info = mbedtls_md_info_from_type(child->sig_md);
     if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) {
         ESP_LOGE(TAG, "Internal mbedTLS error %X", ret);
-        return ESP_FAIL;
+        goto cleanup;
     }
 
-    ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk,
-                                 child->sig_md, hash, mbedtls_md_get_size( md_info ),
-                                 child->sig.p, child->sig.len ) ;
+    if ( (ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk,
+                                       child->sig_md, hash, mbedtls_md_get_size( md_info ),
+                                       child->sig.p, child->sig.len )) != 0 ) {
 
-    if (ret != 0) {
         ESP_LOGE(TAG, "PK verify failed with error %X", ret);
-        return ESP_FAIL;
+        goto cleanup;
     }
-    return ESP_OK;
+cleanup:
+    mbedtls_x509_crt_free(&parent);
+
+    return ret;
 }
 
 
@@ -205,6 +207,7 @@ esp_err_t esp_crt_bundle_attach(void *conf)
 void esp_crt_bundle_detach(mbedtls_ssl_config *conf)
 {
     free(s_crt_bundle.crts);
+    s_crt_bundle.crts = NULL;
     if (conf) {
         mbedtls_ssl_conf_verify(conf, NULL, NULL);
     }
diff --git a/components/mbedtls/test/prvtkey.pem b/components/mbedtls/test/prvtkey.pem
index ac8ee3b17b..bb0a510a7c 100644
--- a/components/mbedtls/test/prvtkey.pem
+++ b/components/mbedtls/test/prvtkey.pem
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAra9Pvr1J4ltGfVdnOv4DVdYTL68UaIKu37r0TMRdBKn5gSKm
-nBnvDx4TyMfiaOyo6tADGZPbzYJ2r45Zmo8zoIiUwh9SWHkFghTl+jNp0+1QxRCH
-HyRak3ShIZvje+c0xDDgMIv41l62FCE86dNW0gUCC/KgRCInqzsKurbxZU2qjebI
-5TKDkOFJsmoaWPb3q2+wEztPpvjGlV33UVX3OK8bJtRKALFn3733E7g5F2qANjOu
-S+7jXDzqxw5HD+QZTTH2Kehh/hrV96WeXUVGnMWru2BtYWKD0Pdh7zGcXjP8oSf2
-FkVssh+0f9khI9Xz6KzdSIMVEeSrDXRKnyJnDQIDAQABAoIBAEtOCpZZvfIdvxdT
-URfb0Jhj5Be1onSZzLaGeavbK7V8+QgLfQ+LkwIL+WoBeGIj0i1VGTL6z79wBIOj
-hagk1K6S6WStbeecOU4oP3pW1lijuXRn8R4IhhkO5VoMG/q5yUATLPD/j1lq4Skj
-LCT5k9glgbiqbuB7qpVsWP+RmGJiLh3jBDrb1NrZLuDlXhXJO+AF69syxxiyvnFA
-s7aVHst2TPXgccA9Fh37GzxN4hratz6n0JAaMxpRdJaJF1sSQQznfrYfxnkwtE1y
-ZXS5XgeDjqv00mucZVVzNkhT9WeS0bXd0lblboK2z39cN2YDYrmfEr2HonbTozNj
-HPlBG2UCgYEA3zWj3kAFhpl6zrHvcIzaemDxi9pFam2wJLgzeSXuHBSZSazi//qm
-Dv7rgP38XsY6MeaqpLW687FZ6yiDg2OLLMc4ho7Rq6mOKjp3nTVHjO+LONfxgWul
-evhFIabW056jafecouUSvy/9nvrrA5QEJjaHxg0tREuaGiBBgMXTnd8CgYEAxzMr
-NkVHqIis5AzGUJOaF2uTqnXbnM+/+kEkJD6yNzFovsxkaebGQF9LA1s/qiDtZtlH
-QiXlDsWl/PrKmvxToBY3v3fJKeAMXValtAtX0h67RX6rJUqXBATT/AOcfdlWoaEt
-xTCRwi70xjVoSwnvE8CZAGDyHk3/cjRcOBe5QJMCgYAyy4ApGaSoRtEdrHxyvnsR
-knIlg1x8pc2J7ak5DpqrJTzk+UUHP8D+dKCfUC1YW//uTzHSHdEXl+qAi02yXrrT
-S9rfNC0exY0mqvuBeRh5SCIEo4/ABgE4hLsmt1L4AYfqm4C3yS2E+KTcwvksbUis
-cYhgV6tPeWzuORzu8xX/PQKBgG5puFv+jrel+l71jb7/8Xtlz5W+ehozNTAbh1Ln
-xZS+OFb5p/bjSaRIraWQoHtGgRBvAwZxRsOnXlgZEtBRaHDln8TrOn+Rhoj+DB79
-4pG/IwJkMa0b6RT7MB0SS12eaFxyoJIaV9CQgnCTDdn6CaCjMqt5EPsnNJ4y06Lr
-020tAoGASPmKKVhXJxfhzyzsY9Kk9o31MKISUqVDNimqVDOt8vPZw8m/2WXUVH9T
-DnuEGaBmpG22Gs1NxbktsYAUzBeRBpoQ/fNK55eaZorJLs3DfFK604lLClJlQsDd
-yfp4LcRNQGodV4Utl6mPOtOFa8nrVGMQn3+M3TK6QTNpjLe87OE=
+MIIEpQIBAAKCAQEAySb2QFrQZjQ1EhfN7I+raKrWSWWeYGppqPk3E1sV2y6LSE3M
+7cVZyXxcpnP4mcKos3D9k8sbkt05oKcHR2THpWdz5mJn8A7TfJYWnYRHcRuR85th
+XC8Pjf3f+JfjXgr/2a2JqHb4fttxoDRwWP1+kbTHa4iERqTFOIhYB9wD8uzbBHJq
+IlIGbBHO9J+JxZKVkgDWZfc7zik3YzvkuWju/PmF73BagGxxRDzodzfxhHq1f96J
+w10YS9pkhVFLxzOz3O+buwL8plCQplVnpj6J+2MaY4JlUvCcosDkT0EORAtrYGwZ
+KJBKn4dRftk8Wbtns7zoJ2SNUL5TZ2oyAb2dwQIDAQABAoIBAQCRmE3tTs5A69Du
+A6TdcTAUVnM8NP1ptBw+XgRrUiaDuzC9aPLHt2zB1e4J3S83vBn3p/UjIIQYzV+E
+1OED4AJRyoutWdT5gQG6z7gW00QSrm358aGK49VSZUvT17yOuU9u85kMAvDigVvB
+JbOb9f/C3yLoxqtXprPJs4ZkSe/hyB0JtRzauDYZnK4JmtgDfGds1cykohbUaeCW
+ExUSbi/EPuroowmjEPFmN4tH/C3GtQonwGfjP76GXm8u5Fg8VXYUmb5pnxYcFdvv
+shoasbK5lksgK50VP2vA9Y3mIrThRvkWgcv0TZaQWAF/JtdSXIID5WzfsgLbtDQF
+hZLk1dDxAoGBAPfAjPAqapNVl4GqSkUWofUHMzZG85fHoPN3INSA0aMr4X9wHFfQ
+pQ0ACxuimQj66Vk4rWww+HrsjPfiNMZzoi1exS1tjbQVyTBffrHj8sSdWt8Gw6MB
+Pp5ubnCy9pl4lWNHlJZJp2SwAd10LzrizzAQALeEtRmg8meYGZElVUy7AoGBAM/Z
+REXLJgaad5V3A2xehrSnknKUwab4LFIrgirZ6h0RXYo+wEHGJpDvM5Vw3sZT+UaJ
+Jdlb3cXbqOxWrKlqjKe/S2vNScP7V2Na8l/ySO93PYE0V1Q+EeuNGi41xWC4Dh7o
+D7BX2nDm9YBZzNVxM/30/dTzFM+CKrCARsLIXvWzAoGBAOQ4GRv61qXVyHSHO1cd
+HB+sfD5ZaXa9S8Q6TqGx8GrQty4/RbyW1BN/oLvaMgKVr3KixQ3OpnYFhW2qkFbm
+mdQVYqkQK+Jh1yyaKwkPI8h98wFTJ8/2C4rByzZBhOumqmYDwBoYyvvzLiSjLAag
+e56YfzCOLIzpN6K594M+0q6VAoGBALWR5D1gKRjNqbetHxV1QhHg7WMhJkaZOAaU
+MYMDmKvJ9sAE72jGE/y6qYJb9pCk3PdMaf8GbKciq9/CG9Vn2fXUe6txy4XkNEP8
+OA2vFx3yOY18Tumty3PNcNh7arCCOPuw17vCE3ZbnI2CZRj0amnosjFsJHreCDLl
+7GrOJX5XAoGASZXbGykpYJTTr5PGPL/eX0koU1RZ9f6fvVdkfeWNGZfJ4oGkxDcO
+fJnzq9wC9YREy6f3eoMrix95RPv4Qo1Wwi2PmtyMFvUdsYckFEhxSN3p4Iqn/nQg
+6I7VB0yNqw8ZdP1vBkRcg3kk+QO2tci+OTdpDSKmO5nGjuqpsdBM5/o=
 -----END RSA PRIVATE KEY-----
diff --git a/components/mbedtls/test/server_cert_bundle b/components/mbedtls/test/server_cert_bundle
index 19123f6a93aac4adad599cb3f4d9344e3f0f52c0..0b7f09aa06da459957cb5c4df81df1876b9597b8 100644
GIT binary patch
delta 349
zcmV-j0iyo<^8t_pGXMbqWC12HVlfLa2?hgI1O^iVLryUhFcAg=RRjnO3R7=wWi3;5
zVRU6N5ik!1162eElYJN;6BjTQ1_M<D0}KvDb8vEHb8~5ClaB!=f2Yz5%;@aTw^?ie
zR3d=F1*>;3`!A{8v?j?n8#xP&kH?KLj0Xp*+dFiz8yfkH0zT9-0>%%v3x8KMSm7~z
zj;WH5vZxHBmXWxo(Crrt1pE#85Z`K93$W({5BKkdW}EhAH~fU-GgOS$<2!5~vj;PA
zCrbx%6S1$3s^XX{f5LV>?qFsg?F&crBiSt7N@Z}ognJ(oL71-qt<f)p7LSPdG?k~o
zerk3s?kOv9SV}h*^v~iCc}W5-!+l3g4<;qRa|w{NH0E+K$q`Coxz%}NLr9bxval<`
vjchQ!RYpX&mWBtE8H6E1+X^`Xe(u{v2Sr7jzk>vU*G~?F2RIV~0|5X54>pE0

literal 31227
zcmce8bzGI(vp(G*EhXIuY`VL<ySuwVLO|*6PU-FrrAwr{LAoUse%phd<M-Zsex95E
z$$H=IXYYAto_S{0tOX(k!UduQ;9!6Uz(RqmKtQ2^sVFf#10a6?0}c&Jz{bGS&Xxfi
z@cjD%I2!WP0->Uvoim}303j1V1AqnvP5oAUj0X%93g(Z0fP+GV3xYsUB^CAw_;w+t
z?SkT}_MI!fYoV<{-JPJDy&LSEE3qMPdd<a^Y{l`4>0Phv+ep9X=7u6_-oolHYT35U
zU=B=IfZxphzy8gb0j>b#zrGnH&1(n{VsJwch>6lrHn}_{#E0%sFR3CgQ7NM;!z)_c
zMHmO736Nc*_Ed`dQx035eV%uNuS@c@2$My0Fc-h=BHL`HuWh#L1sY!18#84OlhWI_
z1m{p^yWG64Fof!Py~trpRfT^?rwzgbN)F&+zye@C+3=Z=hoOn1v!jcX^GiYrTO$Sn
zz>6niV*d4nP|VuS(7^f+y8`?{iGcvX0&V&B8W9u}6cPm7AM_ara2*cJ9~2biW}vMd
zUEUP!@pRJTkmS4(r$6$|8LCqOb_w!gdajAHrW>z<x9ZgrNyF5Uo_aN#%(MiO?H9|S
znThZTioT6U)~sZcY&6+EYU8x&Xw;ABP?ubrQ<NRMNH?Xj;_)_-2@J^EN4d1^)0{Rn
zc&++fqEet=Br1GFL&u#XauC4Aj=z46YO*rD@D&E>G$li)Sw;rDfKKF-xw2}CYV<;Q
z$9}LPwm7ZB@in;cVwT$ZY*#avD@(qmAY6pyy}U`nl9B((a;KY2y5XRa6XrP8Gl^pH
z)7p|o>)t{D2ft25&xQ`U(&-o;35-EeJa!9&A^#x(yS*DKltUo^ONWf&9T+$$2q*|Y
z(9FEQ_^rG&11<pj$>yjkwiccy&US=K_H=}vgm!dxbPT9Kclg7HVTFKjxYz*Q_qUcF
ztL~<olzTNwHipG3*As5%XX!McrErrrvD6BpU7h{a1^oE+Y49<L;@%DhQ$!gpY_IDr
z4ToRIR+3coyCU}+Cn2wVgQ_|8k#%cRpY#h@T@|Ci>7tX1YC3><Z4dWcnQcUhX0$Bx
z5^HMI>tOjtn?ym_i`j$#L;<NPORJl&&wLEC%zBQ<^^nP*!N{HFt5J?cH64ju*&dVW
zl-P1~Y{k*fi)A|=+!bh54k__%AoV4xqS#*VnHH1J`6ehG!MzD?k)wJi7_Qs!^$j6N
zi8*`@&KuD59#JFz;0EIA<A)Ma4WExJFQ*$8bgspj(3Kkw=IzEtgJ(){7ZSN%Xgpb3
z0BC7G22ud=lW}o{EzB&OfzGOAVP<RK?BZxbsQlf#359@Geh$ERvNDpelJcK4q0aPM
zQ?FL;CCS4CsMU=anp{QuANEhav;qui9nOF7?&t5uLJwQpWpb6E-sB^ah%1vts^k?P
zHaY$}N%YKQf_k1YDt!CetqRqvKA|fluejyNiOv%NiZLM9Clnnpijuuf&ED(*$M8+Q
z-OpsTQNbu+U?bRIU&`S1p`ulD?uHZ&WtMneCc*-2B=2)N{AI#btv>3|Qo45g@?Llx
zvS??=UN6g1<{3c9<F+}PmoogoOvRyQdMrMVacy|tYUiMU{UN5~H2ERB3Ww16*Kb(b
z{AWoA)2V3@FIpDJn)~KfyD`8xOBZa<c<H`q!=!W11Xye#r(sh!P^oQh^Q2{+g6TY&
zS_q6BAn=P*1IZX2fcl5s5#R+(O)VU4{;)Lz9suVLJ0qa|vPvlLXkugGVgv98`}Yh2
z_MJh%fD8f#3etnRTCDdVu)O>wD|GX!Y@ORZwQcUy*E5@mdMScXtAf_<bKE?uy`}lb
zNQJyNT4oU0$fR~Ul>XgGYIEXLXbtNfF*2)f5R|Y|@kw*#qE2()zz<(i`A+1kACt=r
zmK1rV&fl@G2&-Xi--Hj$i*F!eQoO()2zW!**ixb*Fal02MH>?lwi8lm+Q0Wmv&UVw
zFj4zq-8?<y#uG$!<x(ZV`o6_@*)VJs-i`6VaD+THt+m83K)Mdf6EHy4c?2bs)Qs1|
zKr^k^riA)DJw=Vm)Xjj10h*3XA_MFE_=3hEyuO74TEgw?30-V7WCSg}o7ag@CrfMU
z+^tjL%ky!yV@g?ay{Kq&So)@$C8#~RR9=O`PsBZNh3w+iwYQJnrEk?XTV~$4yR``I
zi~C;9b&%NLcYb2ER@Xi|&c{~9`2s%Sy0aeM&RshxF10am;~QJ#Dw-~6!kdrZ4Gpd-
zO52ol(KubBLUhuyBn^^ukDfrm)VV7pCOQF=f~n7y>NBx(#J+zBiq9>sDgoOs%?6Sg
zjMU|{ZfCmZC<fp~-i8MsOceyN?v3{`=m}l*^~ZtN=+R(wt8LS_Q04em2j%s0#+Y@!
zUHmAJz~>!t6m^r}rGMj;Qnb4)EzY;scEYn<pw5YcYaknRR{Oojj%BT#5BnuWH%nJF
z9-$3pPtGO`jBCMvbv8@@`csf2ika9wMKv&G(fwpra5U6E*MDTJf54&(BUna&Z<o(W
za8!M?R=KU&w;USXW2V}2=A>_mgc`v2WQd?)f)~{3O*yFAA>G3=*moftEqxsFcY5>-
zs!sg2LMWeQlFb|iT$C5Y^d}DrVzHoSlqZYE(#Z{-1qpRyCaBTMpM=o*d8(D4AM067
zfJ8K--=Jf#%y)_Ac{vWmbPlS}jE*Pqrjr|wtd0d>I}FM0Oig<gV~?t=3>;4AvMX(C
z%Z1ZE$dj;sHQgDG%;&%cX-oj)h=E6XV5j@^0y6bVhS%;H^oz=u_)+>C8+WWqXdF|z
z<TQ&sMd<B}2Uy^giVzOlrA$2Q?5)tOfrjZG`<Q@By)K$v2dk~yCu@rWtu6eo*8Yz}
z`=>rY!2C6|h3sr>OdO3Y46J`krB}FeX3#V_7+;`>hY3JyHl0MEge6|KN|2$?jD2V<
zeJR%`z!<M~hgztGv=K#s{}#Kjq@K1}4>9z8<r@|cM%q?9L$>p3ElHlCQ3t&}!H)Rd
zft6cgapS)2(mooSa>&!WY50$++o$sRVO(PGNVGgXZ<zR+PEwLK3A<+~Lq5jeH;Wu?
z@;^tJaz2G;*q|Y|Op{itC?n);5%Gk)Xiu}isPL90H0oh-<%9+sWc$`HcD#G$`oan0
zJSo3^z|&)1u!P1}`(cb+F3<EeOQmp&GCm%F(IjJsJ5E<#)^n3{%60_j{&s?`f|R;c
z4V;(~QNqQyk#fPMGjekY$%Em4#NM(d&Te*&Ru;BqzqNN=;0V)mI;(hVD+9&sgS?L(
z@zUGzeksE$#=<61X2u&(o7!v=SM+Itf%vrN`WXP(k-#?_FF)dEKCqTDxv>b(u_WT~
zu<m*y%}tBtSXzY5e{JQg@X(yToN;JPjV7^5Z47n}LcrH+&ZNC7RiasHb>)qdhJgvk
z&n3Z|vMeWVNdcv^F&XY4HB}*%;uo&Qon3$brfUV6kLRfA>)9EJ(o&~MlHL3*ze9v~
zd&1OMN472n$;!8aadIROssnD(Qy%?JKKY3yash=*bT&bVJbSew+@K@cJFnw#xXohI
z5bR-r+ht)^gO3|-q66Mnm$9!|zb!JKIr>~6V7Av`JlR_esMbaPiGLFU@SjrG^I!e@
zN9rOJ5fb`4<&Fr@#l^?~AJ6e%Y2@UN^&G;$8#TO0C)bAN*;c;Gn;AjfzeLyDjl?dc
zrxV{P!xC~Y8)y5_UNib~M{EOU$Eb;ij^4dTZt?P2zPYrDqgBESSuDW>_YpSkn2j_O
z8Y&PmVD|ktKjH5P5g&l}$B#h6_>&NUn$y+9(FrJwzH{PlGH?NgN_Jk~8bNplk^F3T
z2aQ&JerC?Rqk20Cu5_otAo>dt|I)q}elt7=$myJwHl#Og4xpJ(Uta0qcO$6`1*B>K
zDzJwE;t5B@Y!R1|sg9<+<q2JDm>_G&1T+jtv+>H4f=t=WFYrZNm*s}A*bd)dcw)nR
zo$gORJujw1E{@&dQRgYfH0P#wA;R*dbbGgM@Vv2L?*>0*(aH7_E|<vqc%kG?tZC(y
zr<MOg3o#7KvyXyjEO(a2J~U(_oG4p1l}<ITFUrSj+|6+EIq($V%~S)vvFjj?EuXg1
zBoeH6F)Dt0(OM6cQ$wWtZYIIp_cSGQNd$)X^8_p+OZ>8*tWwf!J*+UHG3Ik{Fli-3
z^OflmN0~Sqf276q_K$TJ+B(Xf7O;skizwX@E=6@8IR?hK+elyS7!Iwsdl$B=nZR#7
zkR3HxATLqkh_-{i7*DESPv+`kGoImzKZalbLRkT?+UXERLM0ISwpU8gYtEsRAQYp3
zD?oEr9aN!DT43IHPQc7DmvU7<pg42D>#LHJqsEsw&*!d4W7pf-^YALnxg}clmdc;e
zhSUy|Y%X=7=taWRr${hkw=iufjWhtO@}TKPAvjr!&*S~=**=hFri#sI4#^f-gg6q!
zSTFiy;+FRlI4!@F!#4Tm8^@1KH*tEzok>T@YeCM`>-7{f5<rI&``4KHJBRxjHE7TO
zLx&?|{H@E?Dl2vm@}AExRV(3WP<^icAVRr4`{}5+S1PB(*-NcblKku37u`Zz>_uk;
zITkHOc+kzo15Y=W{SwW!ncW<<_|xb-XVrLN064z3EX^BoXMaxw*K9kPF#+0a3@CKH
zM!`|9D0KtoC2E*kx(}cQ#KL&e(EdAGW8;#qASSV$C{9a~ed#J?4}$PX-7Iw)cC|!W
zmOkV_+NnlHA(Ow8_&_%+5JbEt_jX9Xem}>k3p5GYqaB1B)rJP6x=gD27^_(}acRl*
zk*njQ9(dPRuH6n%+{Xp}_lnmKo1E8{ZY<*q5eK?hmJI#)E!?=2GgiudC0et&FLAL)
za>1_BG}_s$-qzdrx6JJis<sugs(<6fzBoc4FOFlsk?YnWh8j=WUoY=dS$j=G8NhjW
z=|!Xf(xJ#cHfriobop9!V>|#>OhHTD^5dd7jt=kj@RiB6^;yCV7#E|eKZmDQJADXl
zXHMPjqi;m`D)^bctU8MHK^`A6O+YHB(|o*5AP9wN*{MB0tYB=pTpXeStODs=>@<A5
zK}}H2(PJvh;~V9nBVnO3Ty9J&aY;Bl{$PUG_wXQ)kLLqmlKCaYBPogL^y+Kg>m9Ao
zOL`EF+6>Ge4)ti)c#NZocRn39(JgCK%;&ImDzhv(G0KHQ;4{?>ik{7B52(lwnzt9V
zu)_YW%Mk+zpF|(Fn4O)O_0Mun$;8ps!pOvlP+D5(XB7gD1}~<p^i<a=GW^!%8c@K(
z@HcbZ(zup7<9Qns3i-KnzWLvJGeY@0TwR6x-tR89S<)pX<%LV#(p**Fjs?D`zU@s~
zIcYx6+iOD&(Jd@dEWIJ27|yRwH(H!c@i~RlJuol0?9&uOltE_Nl&wa~8^E%bI{XS7
zy_#W6MMeUhQ#Zjwr@!`b0ye01RQy!t{d>>g(AJiZ8rU<HQB}}YnG9$C-Ce761vb{$
zNcD3*<TxVWJXId~@s#Dye95<qU>*{8xy|F1jsrM@X)qFDYt}r&>0D;g4+>R{qY~xJ
zD|nLL2S#<Z@pr*%w_gR-vRId4$@>PbNsq=(67DgzDW+61)>GAzQP+vzI<5~HU+?%M
zN9<<24-LL!Hx2!2bPIax{>@9<?anpm?r^ml$s<9nuATg32K3VbCR}SIe0^_ks7mQ%
z*?x=^)d+SzBbhAqnThZ?*jUM!MBRSYtAHwgug^lIh1Pjd-XX8=q~ASGM}8QSTC1O{
zjTHIl+I7TF^G)elRpB%jVs&UP_zFY$h}*uM7w^n!3^D3X$K4#`S7ak}1;-Vg8O*qL
zDs!e2PSZo^Q1Vr@Sv3=PiWOZ6bdX#S-_#<ahT`gks&~zZm?#VV*5cg!Yd(mYqpIAW
zk|3LhrH(kH(tG$ORM2cmt7aVTF1uSsj&Q#`ycU=PN#@}ksPIf?!-7osA9uOmv)mX^
z*xVl;qBC<tLup!TTw}8=Uw3DyluV9t<;OXmz}?woT%Er0)5;N7%;M;6Jf<u=8Fn>C
zZ(c12wN4@EA%2nd;OMsYQmb+cqEpT>8;3c0m&5!pfy~P_XUC%X4R(7-_(S;->%LRl
zW5C9+clX4YWNidwW|&0WYPZ(7t?nrufX@HxU0dCAIPvY^wB9tUm8zjS@Y99M=q3~6
zYi;TBT_023l-Z{DyaVHC8Rf@YB3>aX*P#T4ih-!L@A;E9LkYxU3Y;}3ZmNwak(+8^
zn^fKSbIFrE`W{xvj(NAUeWwhbDM)eig)gkzJI}p0&$;bJ*vr}QZB^lRg*vvB9f=JF
z$fUN*!HcH`)+gsp-#c}y87xz(x}a4AMSez5fJJr*mTrr<_2Ql)7AK%yI<RULt{!G`
zU=*z^mplvKb>=Mlj6>|?HvzaN6YMAE;zBJ?r0e_O3SC0j$ReS(7b~&ris{H;Mw93h
zn%5t%O5ABF<pWAoL&CVal`3qbp{4T$BpWZS&pjz3`Y~;wq^=T0fkSux-mH9D3nhaw
z6}Nr5MeE(*Fqwst3WfIC5bJQT!99NC`0z32{bYgkO6<F-jnywu$}4mkQgv~FlGkI)
zI7<pnh;sIO+YOjR*d8@IA@DB7L(`>gu-#ZWk5kGyZ@9mqlY-X-P3AZLa5<nD{WppA
zzshn<e<w!?<d}k(s6ulBSBCqE)CEHJRWoR$-t@hYrfBmeS8%l3$ePI;8WBMk4J$wK
zc^iIM?L+@q?2v&KC;}m%VoS46?%Ns-x+#U-vZb6T0$V+89V1*Gh!&X|j_8NLc(q0W
zBJn@>BmTA<e&Os?Xdb3tA=Jdu`x@XSC6RI8Z7{a8BHC^>ZGgp6!N2Tu9TEf3Jm5Zl
z^D39$m8-a~No<b#b8L*I(_XbBM;299Zt|p_uKHV(XE}i;P@k5<2K$``!Y%2ydrCjO
z2nCS@mc8P?NE{(q1{A=v@A(D>0Y=H(z}C#%z~X0f77hVc#L3>##L3CR^yeBl0<5*2
zk%6_jos;u#OR@4wxsG;;4J}b`H8ai!aFrP}`bu<j|BBU?OX(gRh~nGV#0BZtC(rQF
z2KqP54~zE4!Lj2ONBvzZBQ;W^n6iW8-xDaRdqDc5Z{IOlOdiSiA_ozWYQ{O|5T$K;
zeP-?ftO3GqW^^0SiMaPBRVN_9;Lo##i786C;945aOk_$Tb_TW?1ESX@YAkWoudYk&
zs?fOP3U2xmbgmUtuGuSb$)_Yis?Ap0uhE(~o?H5{GF3<&Z)$Vz_alit+rpM%xT4xM
zc)*#yewV2uBAVV?+Ny73U>GodZE(VnuFLc_hvEuT#JYx{&Uc=OWcp&aY*{=217)ie
z(OEK!*bMQ>`=x=hQt}s@1G|Vny5DeUuoA{5wog4o3IN$t4TJyZ8nB1^v(4~l^Y-^?
zzEB=}g)fC?ib?d$PQk#xrdTe@EJP=8UTGPDa(?#ou_8gpG3B;i=T&I8;5vi6^QYH{
zuSU~|N`*Gc%5~q`UciPDXfn3v9>m}7YQr5qCQnp4)Yd6w$p)RowzVJ1F#>|6p6jah
zD80V|ONy8`r0FCjFpOCJ&_pFA;m#eWA58o;Wr20zeeTptWe_tKTc=Ji_0#<2?W$aI
z&!IKeci5O;zBQgy@bQ1K(S-Om#ymv2<V=FA!-R&a(*sI&1y}~t$y%EhYp*-N&1sd8
zn9I@vy9nJPjovbplk2VwLvnsz^vN;U(i2o-q)ybM?|Jn?GCs7%oeR+$ljUgDvHQ|@
z`WZbLw~AF^?LoIuG$e2&u3Xnl>w_Q{7PnHlYqD)VaU6lr*TVKb573(1)n%WsM$TEb
zB_v>mR0nzPpJ922ado4;mx&sbLt@(_$U(APHKZG6fl}~zIY7pKc_&pEqMbgmiOBI*
z()rc2M$mgcSp;pxOP*^*|FiwPvTqX1IFuIx!JKHvyDN_=FZ5c5ck$1g<@LK5CY`oV
zI<k+L;GH`N346?}Phr44Rs4KKWfKc8@p;#;=3v*EjA@K!8FjO6yS$#c+a<NdrQW8a
zM!S3Z1!2rOI;X2RyH~fY+uB34$Yr;ffAD%_ICbLTiKniH7eLB>kO?-i@?ff)eeyb4
zV5Cbk{HRmlfpy9sTUy^Y3I22?T0%ue1~dT5liY;+>y4j_;Ap=r{x;eRK9VAJ(AiO@
zhzRzS@)9Yh!B6@I+TWqp4tECW_4&S?tO01xd@DcmTH3zRPlSy{{xYt#a_{Bi6kMhl
z>?K(+BvGJSR2Z&_(&p)Z&=I~@Tb4)$og|q;4NYH%@75XmtRCzYZemk!Gv~{;8Pw(j
z4eyO{sJD8$5|;HGy1~qcZSDv#$${2Iqf&L*-UuEtr%klOL_^coTHfo~RDn6SlkpP6
zq=qqsZOib}^CP$W6mT?7F?|`hWdp;zYuT6d(P1+8RjjyI*q(3JY|ahPg0-{O;@}jL
zLN&)KOQ)|(U`zDdm*(|W9gFqRbU{D|CGYt1_o2awz#{#Jz~84u{b%gX^wY#}znb{x
z;(yNWBV?}89#HPYm|waA8UlwXGrvK)qV$#rJAM@f6Y8%C&4AD&9j237*Y_7)S1d(%
zEoN`MZ2alq%gelH{yYdY6-l!V=x>odTDj2t+`?hjB_=El=?Qf263tgbC=%GSpk{do
zhsiY%omQ#__Q;U}F#1lk!X_Z}fpAe?S#Vtq4^YNzXM`H4v6VTaFFCJq9y`+0rQeUY
zc7EXjS%+fU^{1&&D&WL)3SSmLBIN9<E6mxek&C8d)ZbGZZia|8H{WI_*LSJOa(j$H
zKdB&;_*%}7A^r)B!2nygDe0u#t<gBuvs14d?Ig|c9?^PD*#ff|e8F}vAkM+H&*F{$
z^B;Bxvh45uo%N@Q|B2my(=<we-gO!>y*)%9^5VWmggL7dfq&^=C*F6U#a$85BoNDl
zo^R*7M?KP46>Qbp5b~+7<`I2N0iEbjav4{%Zzkwih7$wo$k-G<)^A97#VKC)qA<i)
z&fN%R09D>b(3D=L*@IF>5hoPKuMzt-l21=)o3S(zo{;%04|iy9jp=lBY9j+wZ^woW
zBUAzYZSz4%UQ=g>zmfd-DOSkp)-#VU`?&<v6ZUjopWEVEZIm{|Uxgz>vp<^FxEc7Y
z?T2%h)a74YBuJt{+k6YJ3HdmlZQwSb?p!rR!g;O3Ih4DY0lT6jOdEandQ>g;&ZkWt
z!iag*Dh{i|inWGgtBjPj@${qt4^1tuVWs9~<4vPeZWBw1$oX0ZYmS|A=$WIcEnRT0
zf}k)){Bd3{dt#cbtR}qJ1r)1<8=%dBZM)!*2*%~>jsYg0+w^=)QXri56qt;27y8jR
zj{AUfUGyA?D)_yJ<EV98_!^j615;SbYA8;VM2)UfmT!X#lo2>6LH4iVic(!(WOBZR
z1j$_Vn<2Yhg3P4Qkap$J+P{65GZ*me)8i@t<@U`-Ch;#rHpb{LJ=NtVrC=m_6O3_;
zkUV(4)P@hKm!}Jgc-SHZVQVW_n>2KWr!ArFA=)+3Et%O4hN094qKATD+Xr~WB*jeO
zP;|24GeXay8*x)gS3dcj9MJD%exKc`0hCYKo#?OZF7IM!ZDB;HWMbrO=lCZp|31Mt
z5XXPb7q8qEvx2*)aNRoR3+3{Ze91r^9#K{Nfx)WC%{7p`q3pFFBFuq`daLJ6n~C>%
zwoO=(*q)&)KFTo+`llLU%**}pJA8WG#bGCbiZ+lcNgDo|vUM)0_p}*XIcbMDocO0O
zwc}f)EYMl$b%TmFi_k++^;)L^7jpfy?*__;6A1GeDAm+8w<2&;OEVD>&f%Cih&kYr
z=q{ApnuSHa1rD<kzSf{kwX+cyHyDy$Rr*w^*e0A+N^ce5c;e!>0L6r>Gq7OPCo@`R
z$}swAg*OP9b-g*?^F&|1W_YMTb&ajElo^eKY?s4yE7`LIH91|w^eu1sS=A6P)HAPB
z6e+fBVH>aEqHu@H>G~MfkyDI5niYlT)k)IwJk<#ruOPi?iKan1LCtb?y$ZC?uZhp1
z5#tt1gcVFjyj{T$EQ_ewv6Ea8twIfM+pdmXzuD6)Q*qzG;cE%vg{ji3;Ns=b)%RoW
z+>~&~Mp`t0cGthn2zdt29<RK+zm&;C)}};$G+oM3(#tQcTv}5%KYugpxQN$g({7@7
z63jwvN`HJ+YjVmI@hVxsLiCvsp2b~S{kVbU=#bRBbhKzGhDMH<G8J6_r5@h<+)~Hq
zAW)GahhZB`JiZIq!dr%pA6AL`&Q+(D^%5M9Z1k?h!L`2iQfFT|kpv>+f_{E-JVjuF
zm;c4_B;|jZa#0cyl9PEF1fa7uac1}-F5%Jef!^lgXyNSfhqiRFwJ<Vpwy=BB1VREp
z-}}w9OKt6g@1#xj3Fa%ccL+AFq4ZLn#`n_4p{EyAuf9AUQ?KpqwP+a=r>5Gy<RrIH
zfJ`A@n#Qwq=u7p+&sctC-4||VCdqr_P=!rV42w{Z&?yy;aHo>YHMdKgBjv#EQI-^I
zQ5)j3Ph<|2jGh=YVZhpEL!p|fcHGsa`i=2p{(R(nlG%u&i#f8gq%C{)%LdN646Y<{
zp}d?n2@OYS5<n2B`ju=4p1G=N<*0zpK&=e5ifAdp0{#X+&*G?ebF5!F+cH9;amEty
zwQ<<0!3svaB1X2i;-FL!(O_To(eQ@^{ZG$MOYLt~hh=;YXYNYp+kKVK-|cza&Cj@!
zQab&xJ#b1({^tw^JR0s_(&_t-$)BMN6j;pviG=g_!&^;#9+OelWJp<b9N2i^`4y?#
z9MG_sLq^rjZ*M}?y4A)6@0@b3O#~nDyFqGfosb^;iMFxwOXeN;il&;!!e4+W0*lvw
z_Jvvg6JPjmX1c^gkP`2`bvpMrJ`vqy!8c5M;m2}{Yv7$4GSGH;Qa<1mYS%W5Bz+c{
zQosA;W+Rl_6=cE;N8q`9z|EA?n<0~LCy>DIJBS~6@F`OwHYh#_f%A=|X;y|toJ^7d
z)LTgq4WR3*{o?w9B0p#1;LwnN!NS&+*2#bY8G!Vidg0Naf6U4Kx_|!fRPk>kU;$|-
zC1NaZQ!do!{wyqj%xYhp;EcMeIROQt{nY5whMDO{yycI$;xxw*A(5$-RDLF<d;PSi
z!=-rA_Ru*zaDY*a2)Uc(sc?A=yc7B39=hwVdy3~V-fK3~EPzN|A*XYJy=lwMnh;J^
z4t6^z?qCZoYMI_b<tFQpk+fUxq3v%WUr@PY-4kb)oNeQT4L(Kmi`KXxz1_tQowl)_
zcE?P}-5Y>oKR72vlXFszLwm!C+lJ3v9|jrT>=stNNI)1<3aexrJ?6#c+-xrvL#$wg
z=}}Q#AwUi@fKBsBv_yQyn0hvV`SB%nw>7qqB=nolldrCb%un{u6|;QfqCY-GfF=+E
z^<N+W7PWu3SHb|Ge@cCnf9{pYJ6hNnI088cIQwN``jdkMT%67AzH`%WG3aQ*@Oqqj
z<!x3TVC*#@s6@MZ6$nFUFaxS#nJ$b{dE)vl!Dq|>(CQhW2i6X1I&_Q?VV46)Z_jy?
z8P9p48VthlaqieM5p4blJpA6p=JS4&3MM3G>gAelb#RyQ8*L1k;Qq#zHJ80|NS=)T
z5b?EE$^r0oK%B9zVwZ+JF^gJo=ve|>z-$|X6Daf1iKxSx6<86Aqg7Ix>Dn-!hu$0x
zggL$#*iMH225S=N>KIGxYKK|BjhhBnRK`p+MtqwfGjcb_Z8Zh2&rGOGZ%t+5WbR7Z
zR&s~;`rhmE2D`7bNDFJsRfsrlpEqHWPt@<y0~=W@->;TUTp~l+JFq-qpbf-8^A`*x
zM1E;32pU*BTiDn+n*5Ascr>^_CLEu-4L|yC;Aq%?zDW4j<3AYew<zR6v=Wyl^Qi5T
zJEqoqOi^vD?<V+FS8ZxV(om%uujc3+Rl!2qEK<^q8Ri;3)CDh~9<Uz}WpoM9fGT<g
zyG`On^|v$!*IUAVcG^YZFZ?tzWEera9R*(?KT#zAfpY&#DOpfxY9d~-SrZ?^^!2SG
z8vT3RX?y$As4mnYsNvN0`5`7xx0##6<}-6)L2<N+uJ`#By7~_d1(09smZ3GkrZljU
zjlR4yT8l>T)~SK=ym+&JFa=(r8_28oh;d}mcFV!)=<?A`QRZSW`eifE_8^H89|37H
zkv4P+ReK-j;b+^ooK{KBMojJISPZA`5w4wIGb44V-xkV5FHzudJfWZmL_y~l6o7e{
z3_$W!Q{(-ThY6KDoSaQ;oCt;F=w3=I3)B76qzvq`|0XGqV{j-|E7rF3YWVl)C{}O^
znfOWdpC`60vL?+G7>5_>o^Hb7U9TqbNL5_v91_(Fl#Vw0xMp?S^0G2#b9G-apolof
z@u>Or-iD+MZI@b3)h`G{BX`ft2!_1xyktjBkXDAgX5A7A@Ip74SwfKcwBmzM%GHC>
z!KqrHY3FL8SnSz6aA29Lqc~0rXT^dEiySy^Im8JC!X~!mqbA1}c3{>NT+-X2q*4>p
z<K0~K1{=zqZqWee?#&m;n4Hg;(~-FxtMN_t1eAPXU-@;70=NUHaZ;>4u4q_teYL}!
zCHN+Zd?4$O$yr8$pmbI~O<H9IF5gYdjkzq$Oo8Ka{{(~)5D0@`fB;ew25=l2Nd0hV
z2;Zk9zq8FBGrvCusNvC&-Q3*hjDe4gfRE^m>}-BEOu*5e|M`ihgz__~{}zl5u5}d0
zm7@H~Jhc+}+$ear=)v4~$Eah8TA;9mBcO4GvVcaVYoQ(s5Veer2;$`+D1MOFuw!Gm
z0iCO(Tn?feGp7BJwXPJHQC^w&3Eszz;(0I&GnJkQ98e~{k~#!!&u>aQjwxrIeLdY%
zG~SroYLhTZb;@?_YT9htce){Weg(aHGhZZ(tj<{Mf;Igqw?k}$!tyee=|%!ZKWs{`
zjx(?`r$kcPoA;xfp0%rPwiH`T<`VIa%@{gPq~-9#Xf3+&^L{O=OvcXh<GV?C!Ku<l
z0mcP{sgs-6)2$KeeD%1y5|p|23k(p;*EN{u(r~iSMMsi6y7j(!(H|-){_nsL`+a1z
zvW+q?d07qCm`9gOx;%=u5W&Gje8E;8yboTys5s{giQ)F#DTTtZ`dCK0s|!mi++vvO
zGm}^3v!?7q2w5iIm~Mn)4Om(rz^<OfU->q>HXI+oR&humB)jbOa-yB?9sO2uQ#t2U
zN`3>`UYZq%eyskZ9FYXpwOMqj0aSX_dCOkiUM!<k{e{}D4(@39i_!#$1c?h4+Qdx>
zn`O7ndkLw!G8O3JsD#=&l2&OOk<+W<ngl@IH))k{3Q0BeSN<8JPO+1il28cY@}Hvc
zVLP7Z><|ro3)n_(3wQ_DV@7%9gpST5>iQuFJ%or^rt+BxLV-k1OKW;>HB$i9n;&2R
z)!+YiWQhIk&dhS*d~0YE{5`xc(Zp#-htma<4o(~M{z_k3+jzp&>Bu;Ii-DGcs81$s
z)^Vf}!t+CD`!62@>G%WEcliWtxXLH<(KT4zGr)z8k<qLjS1N)FbFAux#>|#T9>MYQ
zHh4jdfhD-%e>d=n00d7e1?$hi|07eH7(Ye681rxU*E@Hjoy=ESw{#@A0mJ|cro;Dz
zWORc>Jm;Zv8t>Ps3VGB^T~kLZyl?{%djJF%xcTgu2daHZHZMwRJkEzuCbsluAh{Kv
zDH8N$V!ZR|$SPLD)KGD(G>@}?U(@1}V(G*f{|Q+bnQqnp0y=QVnajpugBAhzm~eWK
z@P!c-?bxBN>_FTNkwF^s0c4-<p%zZt!QjWyGG>0gYERQ+w*m1YQ#G|LW%Wn|nnt-o
zz`W}5keAM8`JkNcHp^#*;e|NerN}71g@%}9{%DU6?)?qbJ@uAY?BK`|b5m^jbdcV`
zU;KHIW9&;+`~?_i7a^ReZDT-R5lK(ARp5fV=(wBCb2130GVyo9%xX&Hzuzg&He1f8
zXv>k~s7FzMeod+^8fARlZ4vC6?8>8|Bj_3wl4Rj2e!7;6iffwcJhUQ({~5`sVrS|k
zHkLD!X9;9Wge;^XRT!Jbrz^g0!ocQ$X})(=3Ib%r8!zEQ)HP8}4N7CH@A-7N{YwG;
zl4>I?;RGC4L!T?Zs{38z0;W$P(Ch7uJ3{$bO$BbC>(Am5h+fnvQ;~&OZzCxxh&gwV
zmo*5utaz5`Meq%_O$wl(YHcISA29R|IbssSuD+6X;WIiU((55qu(GQzeH$kCenvzu
zgYat(es5P)ZnX~_dCHe93;N_2v|r|nYhG;QJ_VZzC@H|`U%l~%Z^5BqDVv)RirEng
z8yFjV5Q;h4x!C`43Wbj0he(D;qx|!+khOu66CvaOM<f&e`-3Tn-w&q1{Bba4C1ZA9
z4ND?N>tI$-{Ox|n^5fQt8Q!Idd99j5wys<2QJTb_y&sP%mJy8I!uiNJpD&m)u`=>p
z&FiTy7al3!ezy<2?xi^3^@LXRmNeD9!9G2$_*LC=A{2HdZ0grR<g;_MSH;g82^?8v
z3!d|tB*!jN+v?;#1h2ub_-;pFtRD<>PH&**qS4MpR_dYhWWzwhG-$swVTTY&!Ozpz
zckUH<=V*v)*h^riha=blreIQ3L4sxZ)g8Q8#@Fw|U8&~R9RB<vY|Mw6ffHRP#ACPi
z)GLqVwrXgzTnxnJZ1p~2FF0O9O1%~VXeITJC_e1Yy*H2b7SU0G&ihHYm0+OYAZ9>K
zVDbwXN+LgJXW-D_1&ocKhN=Yw8D0QzzlT3O8v38B%F6PDKjuyu{$hteA3wpv@crD?
z_qy`8x*#!eibz6#!)jLm8eyepZ3&HJw40^>enu7r&P?|Ul$O;y7%nX;OwP|iHOx@G
zZIJK4U-=JHAy=#iziyw&oP3~F?Zz0}B+tO0L%xTK0zj-3)*013R;O2RSGqN*_STo?
z?pbj1ATfC`^4a^xrWn{n0AQjV_zJ|;uy4qgq)fHnIY%W|4BU1>5q~aoT75@%ueel=
zVM2JvVrsFn`tr=S4Y2r<6m{`{g~dF27^EtRh{u_T#Dtlq)m<ZRX5Ez|HD4k!+_};=
zKQ(VYZGv4pEf;IVg(R@!U_*w<Arj~G{Z0Ri+;Z@wmp32D`mUNt8LEwRVttKH$p)3^
z2s&k+qT}BJ@?R2ZKMucuqy2IC<qugW;N%26`eIBdA^eYpS~(KN*p`r=c6HE2qyDV}
z>br_1^7!DA%dszn9F*$%2seHU#TW^U2Hf@4l!2k4OIdIT0na_7qRT=*dnjo$1X5o;
zOJ-zs9a&lCF3LTzyeB$WG+50doF&+(o`1kHo<P;oyH&?xX%idGVZF8TovLEz?Z*8O
z&NM$qkM%(LthO*<=7X(pmjO#6=7UChn5)g~S*{c!%_F?yLZ<$BWHd{kyGjsY&c|&V
zxB-b*49QH^#Ct*GjGDPEX#OZi9M3aSI306#?(*lSpEI~ryzwTk-~$zXdqwFnP`$9F
z_Poaj52>mywm`MEy(a0Xr0}${w}>wRbNn$U@c>2-%T4b87Lb1+*5*G`(kt?@I!Xk`
zF<;zR;xj1wWtA%n)Qhbq7EM+9(Kf?<bomzY&YSdZlNf=fE#WylQzy2J08}(cJAw@I
z19bgoJX>NF29u=r$>$UJh8K(b*7D(efe48o8;8NyhHP@srEx=+k3gyvUsc9fSF@vi
z+Czou0;$5IL0NFKXHBaZ^9Wk<x8H$vwpX#J%rnpGTyF5FJ<qVGQn@UBOfa|@<hOhA
zsUxm+GMKtGqtj7S)q#s|>f#gJ1LaBH@q9`p_+*rR<9TdOb$dt%0buk)0i7XJ1tyrA
zu;%C2aNLE$bRJE75N+DoLF>4c3X!9SFYj(1Y)&~}m4t1XB``$%00b!3ex<DctqA#h
z!G`_0txVYDXtaq>{XU{vtyq{A665>?{t?+ZtKLvi&(w!tdkI&>1Ae4W2`(c-2W-Ar
zV+Bm}DuEg)f?YCHqOYwFoE=(EWx)s5cEeY9T!iqMhAZ++Ht8wt3hTKw6$gkVFh!dG
z!pgv(_)E#`Y~W~WVPb7esBB_nZfj?4XJ%pI^dn6&0sv1mO{MhbYyaIm*~mEXu;)+!
z@unOB#dvj0=41dID~K<r^q#vQ>-0m;!ql8CjZ*YIX+Ce@Y38op;WmZv7s>)Yua!0G
z(}7AQ`ph9n&^Y`kQ#_7BnLEt}CkQgr12^B#8hw%}Wa!EV<oy@E*wX;}sLCo)>c{c}
zs-xMg5{RI@soRiu%zBGLG5)Ocrrgy{&HmrgIeC!>xK5x<Og+=Ev3MRG6u1F&dL2A&
zPBl7E)*nbzQ-OoNv3P}GwOf3Ml`tOuO{_fo>60wAZ5BgcMlyE48Am+#W3tti)JYk{
z530++>6*4hV<FL9P1EB!nYng-zt7w1j)*5{W(6^KGqYe9b}pO^TKYXt+5jcA)h~!h
zC^H}d5Wbrl8Ua$q!rH)=fdoMG{ckt~904QXc|!{)LM1wTIsrO*0231nI}0O#gO%-P
zO9LDM|L05Jn|da;&Odv6KU%QA)zXE1J@2UUU!H7Z^;XH}*(q>k!D$Y@7iWiikC%<*
z8&e<D%+I&{!khpmV44;`IQu3_HOeLhEH)Z*S`WrLWOlu*jqrW-T7W{Rg$zidrX78k
zuumS+R?MjS@zQ-izKGZ|MKcU&RsqqAF9Njm(%&e{*FwvQ>r_o5-zrDN2~n+Zh`Q$i
zNLofuz0uUVbS46<#HD*mv-~u*INJvciTV5}n6!`@LlJbK*<gmPCp^W7g;{z>M(84!
zsgD}HO%e4B6o^%DH$^u$dB#}`Qx_}I2efiVLU7js<X^MX2woS85kMT|al}GprA&5C
z?#s!iV?QJY;d7f@<zbNqyhZ-3%v;3iN-Fo7sCV-j*iBr#7-8$f6w;)5^Ky@8p#P?l
zvd8jb`ouYO8eKyh@6j8Z6Ec+ZBpgA5YssYDuxe!JJCoNnxf~y_xgW9a`_44OG&aD>
zykf^?(d9Hmt`Kx7^{RIHL_U73OtZTWoOIJnuq%rX%sg)El8lm!yAdYZU=T5omqni2
zWO*fxUAF?+nFp0MP(QjwF#8+|(KEqW1<@SmD>AO3afZ!WLiUGvXf;Iiop#9krmUUS
zu#LXYK8aUKy?)H{l<KFb@(#}dEj#W;ZI?CWX*4wt>m1>_E%1c#D_#LjkDICyjVOCu
z;pf%eIvM%!(lqlmSYPV1q@K9Y7AW7We{swI5*N|{sJ=TcI2!Svm7TbSnK|JflEJ{%
z$b?Wt^&g9dzL9OGo%^ZQZCYB!g4ONUe1oH85)BU2AEx7(&2r)Js`M-h_^W#wYof-J
z^NR&EI476lXSf%g+4ChwWXSxlCEqEbvL9ba*f_-a7&Vj@=zYi!ypc0h=(y=UTx5^k
zgxZFQLFl0rP`Mx048ibm*k$RIafIdR;AEHAa$~@asO={eNi8h10YTS<Xly|{P=HGo
z5FnN{F$j7sAYb629kPNgsWwfwql2gP(kFQo2MROa+-aN{0!=%|VN&yz%A&6EI$IDx
z6=EBuj>-@9%!4C17YyYUg=u4Oqx<;~ToHRIobmfkQ=Nps?i@1wARQcectX?>fmU01
z1@<PX;U`?|fVkNFf{T#&&s`QcG-x#mB@-zV4~8EtW_UDgISD0Y5kgTr7hB_}-9`~x
zV>?GD6JrKS0QnO(1W)h$`0TF-@Cn5P|H<L-x#x{|lBCo#N!3Fe`1juIC&^!GIFe;4
znoxASCdlH0{V~WbaT!{Rw1|jk=AOxBX`WSUZh6cwlF+OxjiiWZd&!lzbp}boOC@O*
zU5Ouhdm)YzL9J$Dd=m&2ZzR0T@x)b|(vg2`F`FYvAsFD>TzRz9a;vtoZ5lMbULO(=
zMWS*TZzlOV_*zf)+HSQou-wVGwNWtA;%dtEg-=FdlUk^Pnd9tKQB#64zZ3Y?{^h{~
zrJx&M1_^FW1CJj%v^1UE^)wtNV!Npjn-7VQ#|QqmU!<uPB2&u|-$4Wg<G<P5Q<_d2
z2m?2AKUl+-v~8ugVlq~bE4S#3!aea9@BaY|P(1wK0VDJsn7`Qsl-`r?>U-vh)i!t5
zQX8`2A(@9+Xr)ZLsPMRd2}}9`o;YjRlEVKr;zU;^!<MtZ?GV{~xJ$;_;&^JV6p;^R
zp;7b%$5eHYyB=2JGkIJVwr7@oOY>+l`H|6VJMCHwF(3{=AGG_$2miLTBL|Rv_c3_1
z7k}1nBJR#6j<&$FVZYXRe{G5U`}h87k=J;Q!?be_0zu2MCaZNs&}RK?wEm8yVQeK0
zg()eYO4>Uvt6j1!?g$)bGYTl|<uzxLsNyyKsw6xY=@Py*4Rx}y)8g~S2$b8a_Mgh}
z?J{OM4-G^s@Ac_DbI(ZS=SC_sDA7fa$_&b}lwX=nm92!VEpUiWcc_)uhwDenV26GS
zR<u`SL5>w&DqST<Qpzb8IJY{MwQgb8Ix9G9CA`&NerzM4=cwrb!&d8IlCO~+&vp$$
zkN7^;abcX@aS^>pq(_I^yRmMj=eTSXO}KH8W?2Y??9QOs!cv_CrLmAHO4UW<%P7^X
zXd@hrNyDU|9Y#%)*Zs+!j?y%<=8xvDHxL@HU!V~a{JG@{gMcdLXkq}gKA{Yddd*FM
zTOy7>xdR#jTFJoL)XveE0SAEfBsNfhBd~VHcHgUPX$u<*XCP<%ti=(q1Ox<r>5iBH
zCuyF}$o#ez@8Hk4v|ZnK4Z@QV5svH-9SDHR=%#+aB8c1qySpgWkq^aWfKP=Q@3ki$
zm7rBN8fmaK7ll{aAC@NVYIBs`Kf|cFR8B>O``}r_q`$EcqH;m3ezCIj@g(4FZg{+0
zmic*dv}hnjzia2_2+PYbU1(zy|1R;WqL^EQELTGLqL_Zu`U7`EaMjaL9JGCgJpAmG
zZ|qlB6pZS2&|j>Y?$K!~8%suJjP#ts7a&uL*o%gryR#~k?PXrNb4Gl8HZQo5j8ICS
zg#@~Cl9eKHM!Q<(EQ6a|FV?$F_31VmtKTraBcPw$i#L?4ziT;Ths7M3Fe7SiW#U6%
zI->3_{ooT>_yJ+^`2{B6ogIIT<^R01<5v+5RD1%zZd-k?yuV-F@gMKv{`}8?dyGF`
z{Mk_b(N*~;w7z-oo#)u{{&WyM=!+Go?7A&Kbc+pzj_<V=ZLMa%f?jDpV}U_XgYC1o
z69BNJn^_CB94rnUOJk2dP>nKf21)i;6A%+pl)Hp_T+q2AGETs*zg)lSv}R#q2oPxV
zDU!Du6dz$J+RAJl1MmQjt82M?6YI_{*zMGrUKq*{xU)hW<tmiD8#t|(U0W6G5=<km
zZ?ZT<Ch{}SQNtB(UTx9(eks#Cz|5+q{nRoNBj_egHW<xrw|F{oABmr&!8@%ly8}si
zB;kQ3)grz~f9p8OG4wz%$L#o}j{hSA=!e4<6x!!H1Wodvbg>I9R-l<EhvXA(3zdhJ
z-^z;=-%30o6#$gyul@cPq57+%^0!d^gENiox9&GP(|!oX8E<hDjm`LoIq_XUy-)77
z&B6yqw5^I`cA5pZ38m5&(!82ebmr6iq-F#8X(%RlTL7)RusDSh2`4oCr0<jZ3y;&t
zPKw|_lHO>RWGqn)Zm>Wf*vm-Hbl0jj<p{8+eY$7xjat)NujYFei7BB!3l)KNTSAUp
zN<BIL$t(g_v_lLqP3QQj*J$Chk%zF4lo4sjTRLVwDrv<q>cXy#7|M|5F0I=a^Pefo
zA5+1Sy8Gl~)4*P~7dJC&z;y;nKCV90W*y9Dt|gNk7FfAqQZJ5_bK&I&Er~kmVjG%^
zsBK023$_Z*oEofk=kb{4>0DwR2M<O(7okdFbOB>HrXnA(0^6xK6!B%l&?GSrnc`iM
zrKmdPM`)9IJ}i@4i$4yfxqKD(QOzag%iUWXGxyrg#0Tc3_Ror{+qK&+Ub6x*kV`ri
zn+b?Q&0hl&ITF0A{WRs!9Q$UysXT>S6!WR41w>&9ABeLXv;YxpAqdm6_BTO_-xf~F
z6zHI9Wgo_27wk`x?^Jhe7VFidmbPD#VGLx_xy#-xq-VZ;Iiz-hvpo<ShU1^;`Jqi7
z)nX1wQ#6e8fc%bRu%YU8hagD)&CCOUu75)GYCF>9+xbZIc#zfz6taG60868;*^1a<
ziuhT64#q=yxM3uRiW~=KbG1>%<B!umfk0Y${rVSY{e}L4H&*;T{iFRm`bR?nj<LxJ
z%l%6Kf1Q)~`RqTYpWh~dasIF{$ITerYlUuHWr*a-;?C}!P#vzI`_|ww#7%lWsKnD;
zD*2R(MXnsRDrW_U(Idea8G(o5fjP^!Zo;h^rb+U;byF|xg+DH^B?ww@19}{46;Fv|
za^_k%Ug2ftk!G9+U?!Jfz7k5q&}yt;j(M0eB*zj><vZxUJ&RU5DDy-NTXY0inoh5Y
z=GiZq&p$$lhq$fO@7<f(2<)|Sv@^~df}K?t@z}DZZ_sZ{=8}i?HK_;%uaoe;n;_+|
z6e|Up%Bd|TdqCtXe9<zg&<&rzP{w|uB2NlwA{xgmM;lSzH${X!5jg~D-~jC;wjGL%
z+72NzCY%0FysVY{`iWZJen%_d7qoyi){luP7&K@BM+@MMV+KEGNTAW+l#J}0ot=yg
ztWEw*(r74Rc7N<>eBVL;*ZmCeU-mPeO8-B>G9mnP-iMHu@E^1XI~@#R&h9jruW<*l
z@~-_P)c1%3&<c79g+RFi&vxEOWKry21>(wP*Dcy7_cMZ4L-In)9$((c(Q5#RKbK;w
zT5b42f4#tT@#9eN+P-CJaF#8O@JHKf;420XxXbMb#jx~Uf&b8ejSe}q|DgyXo=fx<
zBjN>!De*vrg$-*s3RdG}4W51-`yE*L*yOS(^a>pBfzGReSNBykO8K#d77ApL1~|g6
z!(SE)C6cU`alTGPqUyyf-qXQv$jk)5ag3b>``t_Fj4&R)F%%+W22-T~jj7|Zr{=S*
z-c1h%_0F2QT~xBs&**&lS-rGLPxR|p4=y-2?12P>wuNZzn%EOwK|qE7I`Cid`fJR=
z+1$X*+2jWX>;Tp$;Y&|xL<OX802|@2&w*AK1<oBCJWXAB0-NV9P9}tQw$>g$CmVqc
z_NNa3uQGZX*!t1Fc>?Tjlz;AYy1!RK#+jmf&_gI@C*;m*9+(^=bRUR93j&xTEpfge
zN6$ml{$O{<l+0t6XXZxrtJLzsx3Eq@pFXE<dcG^My>F?t?=lO{WtqxLt^QX2{)FMK
zsQKa^rZ48xJyilo@OKlu`NahPvjp>3zu*VKd>`rj8;$dK)epFs7ro1%KgOGTm#rAg
zsZzs~FT9HIP-6lhzDetFq}(q+A&z+_B4Cpc)?Bvk?%hJEzkusYv4&xiV3xx=TuNS2
z%GW&v<Jt0A)6>IhXuZ>dXG+=lz!P$7`SPS@5^4`5_`4$bKeU0O(yvnc`^4~{(fiw8
zUd*m?>;#-@br~Y*a_>iBGv^c<wmfeVdk}{<rPZE0YSbtxUu4zxEPKaB1K&ZZXU_|H
zHme{EjvrBy`Y+$|!rk#|-^T4Qd(NX<eNL}^lkM;6TImoyd-x6UF5UWWwaWhz-RHKW
zr+{A0H^sO9tC^5vI|9f|$br?%$)l)bJoHkZ?M>USb46RRqzgh;hD|Ep_Pg7x8^SJ-
zB2u@~tSwS*+{FPR)8*@k+#>p4850#K+RQ!-(KT4@i}v>uW>*uKtcb(3<jWSH2Z*u-
z9_)_178f#;b)-(yZkNWT4Amy~sw+*NKVDM^_y8*^Yr~szm+*Yy6_c6(cZ9+be1mr7
zOCy|BwE@1iJ)NGkN|BU}JWbNNmSR<&k9H-G66zhNMUR(F<$G-RElrp3oVU9|g7_hG
zfx~EL^R4S4`c2`Ks%7Xe(&0Wk9DGDt<|$6h5pU<duB=BSmhM7%eW=QHHJQ7i)mQ^T
zteD^zXR#Y8ZE_X^PHXQBwjXAOL1m!`);hZ?Z>b{MnVm;z;A=nrA-CiuQHj_XWjd6I
zYo|XJMcs5o-LU+Q)ur@X2f$vzD(2g@xkvux`*Fcw-#jKxI&FLbl-EXMSPoV+hXtXH
z4BDKQVrw5fG-e2KD$gyGOB~zOBqyXYT9Ln2NegTrz2MQM%t#;UtW{Vj6x$9|dLpi{
z?@=54OVk1r&5y%pFlcbHCT@h1!24Q&eWM@uFhQfiKP?an0Y^d^eq8YahlcTe4_!q`
zL{V8$1$e35&mCGiz{{sj64@Wm{<s3~zYw@MWy+exx8@|DJ*P?Sl=?L1q)Pjy8$Rtg
zIaDmC&mb6lTg(mtZ-PWWR2w_i;oBgp9lM?i^;pXb@S#l_H|RM_St5%uD)j~A)!A?K
z=P;#Tbkb=nRqNGyGx~-yZ+duugnbX(|64QscVgEM)#N!V(uYOhVURL4MAxHHib?5m
z`2d5B5<(eRT4UIyv5>40p5nu+kKIdWlhrd`Y?LT8VhbF7ZJgM3dIjy?8F@y64X)?K
zTr@E^8+PM|n1s==yc@gDgIIMjQ-;QizIjk*!C02j#N2HUXs1EwURPTLkyBd=eJEz4
zFbczO(Utkym>ztr(;qQ2u-X+OSqchG2OP~7iA<}f(%iwj<T-aoPM6v;r5`FG6Ilq<
zG#eksZh0DCHe4w$4}3=Dl&O#oZPZS!Yb4|u@+D@j@ZmBy1r`1bDl4j##-x88-=V}7
z?Id);_(ADpvE;#7)}r4kTt9B5rypT;ov~shj!VHk!7S{UNA&?=+~OJTvkNkED<+$3
zTd_MQp=}?ecc#@;uNVW3R6=?XyW^Ar*l1;w-fV>jI-J%l+KU3Ss0+ms@T+rvp|Ej=
zk@cn@$%01%o2vQpIiAgfWgehPC%n3_f-Kg>3>axL+t@|R7}4^dl&(F}dR*CdDkI^d
z1?gl_afX$clTgR;jb+_Yh()>}_r{ZX-ZpqBL_XdrpvPY<EPR>rSuH42o<L2xi1+_h
zchzxGty`N;K{^K*kOoO5rE@6h5Cn$q7Ni8FrMsoUAS9%u5ornOp<6%!k&zNVI1HZS
zxyOs%d(ZuS_utvGXaDAX-WBh&p0)ND7i0EPWmEKJZE-dUGKGpQIvJe<B+A$!dTBZ3
z`(@J&cdL%f3FkVs{3$ORkGwOg9Wl^gThn{Zh=xSRUyaT3<fB3&096D_b@%-y`-978
zwi|w$BtHCu?fxa<3mf=}iH|2?@8Irq!m+ymVVTGEb28xHXM<1T(8Z%dyKk1mr3&#(
z?GJ#gtZ_h88)GbGulKm_GfBiNq>x^rCX||9=m4l_=oZJW@_uEpemAt%z&!O>g=N&N
z6|857(6Rf*$y2cUqmn6FN^h<eX*2vw=loG<>r`)DZs?0-a5a2(&XD2|vQTu<UIm(?
zNr}TY!1^Av)h(UY*>mwy*xWeJTyiLKGUj_JPV}x8ILK$G%!H@$LH!Z!m0)KqSF^B5
z@(SbZ6G1&b$95J2Wc(|uMsRfI>`m0?jGAF2<cX3IAyc!&b}P)Ak^C5({tw1P2|#Qf
zVv7aG3no3yI*#(J)CIcUvlIht_fuQPEI!vKkQX|X5)oiR3~T7&k<Va@IfX6q53v1w
zZvSibSVa6k)MNkMJiq>ZGvX06@(7{SUN=K_Jl%ahy9yDkNzy7)Ioc(3oh?M-bCzZ5
z^h2^Q_`tLZkQ*11=9ij{uqm1Yr%48I;s@w0{|!6Rnh@4Wf8Al1Lu-S!kUSjK5NVB1
z)pr2PK8xzb@_QOiS_q_j#Ev@al#Hk@ZRxTNHWi<8pYNFPy2mtaNbCE|*{UfRmGn|!
z8ov}sKRj}WO9H#}(LWG1-YIjkBE?GX8p6KQ!+RJS(yX&><YQ27V9K#qP^IX4i_%s9
zTGMKRX7a=GEuY-p`bjQMujsy61Kd69ry#w7<hX(C1!G-w*B6>bbMh_}2}ATlXh=H!
zN!ZxS(?_ivR8iY!*d?BZ%ee2cgNc+d@Cnr1ZNYXfrp6~-Tuu)5PQO)E&PN$z;uC$l
ze5P+YkC9Rw5@#{;#<wq=tC(QDi066!57OP!y#I&8D@M&;kVA^g4L?Y)1smTHWRA1l
zF~EZ^Tz*uEL7*n9+A%3m-YpBH$5T28@gJIrUS#rSgdc~HNLXf3y?7f)G}-QBer0Bc
zlhY6Jx<jdaRR{4)mF~$nV#pf0pex?=(-&}wr`!4e<C5@P$ThU{kAh5|BtM{0Sd$t@
zC0g+O<hPpad|+M5Gn?X;DcW*B9KO9LtUl8Fv-^UF0;1yh;g=vjM%Jm6P<1qj`5}4O
zF=GsSLsgk<!Tqc;{ovLfeo?Vo1CvV=I2r5{@QPp9q`mgp7%(h(KSbw{TlGjblDD@G
z;g%^ICZgA~(d>%(n`QKh=0Ab+ZKjHk$(Y`e-GorMfscG<J|yHi^;Zgiy~|M29Ybh|
z1~JB&UrsEvn=FK8zoC>#t_i8aTh1El)xkAywGS8*S7L0?(a=GPe-_E>+laMwL?vLt
zseS+M==^mkP=u*ElE_Y2cJhS+>fA@NwR;%uBaiFXZwIo##9#l_J<SFD5A5lIak&Tu
zEPpwbTCdHwJqH3QFA9wDh2UpF!UxSVoiXJCqsR7XpHl=b?_y(Mw2GW090U==!?sDR
z<&In!>&*4gQ7a&(xm4O<S)&?_8TxGq?#?zcw|35ab)Q%7gVg%}?w<aYCAoM{_x8L)
z?l2DM77;Zjt|vLTzKmq9Wtzm4d$Ut7^76I8y@|*8Mo+6LmCf%yCsN4de?sU{{C+UI
zX)B7CiG*Hn73)T&4M?PUc5+<4l7JL5|82tD2>JpkJz$^8RDPdK0s!YX(*G2cJp@@c
z;;U6Akg(n7+|wi)=R=6@Teq2d$*+_=$6+qDJ+u|xI&=Jy50%;*PG3{9e9^EznkDU-
zE|SybGRASIXUITtx+l7bRzRE{&MlUS>#Y5UDTzv359C?K40v)dua+2NQPBBh+36W&
zg)<6g9RYxQ@a(l3DY(x`2RoGAt+B0;N1r0`l;wP!GjJ<#OIxCxd^cm&YzmtZoqFn&
zlD_xTKgpl{WQ-N$;6L-)T)%6c&MRFo-NL_4stsQfc*VT0G{4(GnrILatX4`T(%qK<
z#J6P<=(y~C<FmCZpYb@4;p0?&JviSob{!vR&_10+;EE-=YD(0c<HFcgEG2tr2WY%<
zhfK4WrP769z3-5IfvlDyfz3)#J1#^<^DA9utb>~0gue?xtN9}&3xSyk(OVR9N_`U1
zf-9OMa1Pz7A3VK_1y<@f_objMhJE-t2rRxm*JNgDrlU-45&Br8^Yd4x14uw#W=c5%
zwohJsxW-nCg;>o!BePy=9Zol%`sV(Clr&d@L(nt=Hb^3%(#H9v$r@O!uyaU#CWyVA
zri{KPLr2{r<EVj|{gnpbj;JAV0D=a8s1GbrN<9s>e**DG?Tq{!yl1Q$$2V5(TVLbp
zbmo6TtMPDLJ45p7w>y3!;Bx(lWFjnG{enm+u~fJo#EWaRIq1iu>Mf;(DHrakE+}AU
zK#0(!oZm;s?%gF@-L7m5V5Ua%O5qv9JRYEL)8^!0q}#cDJEyubuOjBX4Qs~wltf7O
z4SCsU3gr#@nGr*_dTO}8+S@<9EPTLkfAVixmWzkjPtNNbX;W}(@pEw>tak^66%5Hu
zp#-m)L~thM@kLQ4^|2YVY)RKimW5<BF<t^WP{(JOH08(QA(+w!zRnBTIvDlObSSw=
zmMDTEIo!GKgyX%)$#@6=FEgS_I>*ph79a-Oq#JjrP9!m`peZ;AS9Ibvx0(Ch=H5ZX
z-LUFcn;)p<F^uzl2{yLTCB8Q!8b|pItA(1;A^7VEy^W0_5}lI9J@3uNIN9kciYbS1
zWP{+m)Q>G6)&@kyY>oIRG*Q|RWmJHqN1iyC*ha;!8jS{S4Z<LJHK8OrL|58d6cvz=
zHTR{;azT+=1x7I+ltQbB=6)zLh4->};6mOoj4&=dbx=>fcThhdjA3dVOnj>E^S^K2
zM$*#N()on^<NOC|ndfJz<@0&k_(XqAEnk>Q6=rT7`sxg&wdeMwXX!Yj<49e?Vzsl_
zw$YWf0O{}^VRDnUxcT(pT#dg5SYB5|F8~ZycP8>6RD}%D8lW`wNXEs5BN*AQ-<rY=
zXH3!akHYc5s&_GCx8lp3A6A!Kr$Eg>t+oH~?u!y8)2^_8Cj55VvpvAQklfX*F-KFZ
z92L(Gb%Qj9ST(xoGqp!5x|k(NW$)PDA*~t(O|x{2Dm5#ZP)_v)Y1hi#?6N?m0Hn*k
z9%hg3@p5zmv^ANpbA9QI(Tkf1Xi9BV^JYQ+6qX)Mm1w2fJ&n$j>o(>Yq%1isY{z7I
z$Pc2YM9=f}6ur8>$`H_b4E}O&*(;G^IQ{H+P<o1L@!yRq-_N4@d;R#YQ9V64Tx_sq
zjSQ@ZkTKn<yPo8a+|2HG3)guS@8mP2T+6ZGbmZeUTHJ9ob1!{jnv)kg9BFt}M7-yz
zHCNM>ZdS3W#hD{;+PrfaO+2myiNUK%DlHofWNn%b9t8ofyn(*JlHdYK1bi1qXAE&2
zggtTsYw;O-gIenc+3C6~a`lw(P7ryQRY4ygZz`k;`qbHqTZJ-08r7rE=~WrwIYrIJ
z#%b%J%wrqWAiY$m$2%X5>-Q3@!((F^x?^6h6^b@xwCwrz-TriI@{LPizOW6ZT33C{
z8&VXf<x6^emhDI*bvAEwp`R_%Cg})egR|Z}*-J{B-5KU&1moJ6Cxr7ScehB<!WxRp
zPoaJOJ+!}jT`4=4Z!fQ5<NQ4sop!RG=xk4~olg8<mrzy%o@jI}?Tle3#FP4tkvq`I
z)Xdb$^hEUdhtnb~j`0A$|Lv<BEN9V*7WVm{lZ`)B0WN4#u8gmg5I=Zr%WN+@6Q{th
zh5Vt_9aqeP=l#ZU3VdW1ALG$y9BDH)MM|<#GNso8P4U6cJHK*<aw9^j{5*w${`&9B
zG#Lx_W@|(pdE2^WuoIarnrPyU2q7}#yZtO*AINtW2~R6PqI{J_&>#B4ZE#=+k@OyZ
zVb)2x5>L!3^@z$&!rk_gUed8_LE9A>J^e3sE0h&b3#oxXKi%wy;iU^qzQ=Tq!9@*q
zk%g)W@=sO57x6hsSCteqAcf^t!*%@Xj$IxeK2cNN6u#s4U+U1e;2tl>&VTk@G(Eh=
zi_PTgpjg5e$o9xbtK<=J@j9TJk=mdVFt(D7M6>^PVhpC7tU3j^;+*3?X+nan?Qc_B
zL^*_iODza^{{l?|E{<z_Fg)2{P_h9TZBA8D&OjSWun`;6xr`nYA8-mPCqF;`IjE-(
z_$Hy^=HNVomiZ5l|51$#$awl>rVAZ&k)r$)yuh-x93UzokqI-4{6Hh7oMOa#U)MbI
zs=K01&f*;wO%OGfDgA2Kr0cPvWa(b`0@zf#Rg`^8v;>r;_n(A&SNB-UBW@#HntYZg
zN(<-X5|@>Z##A1Rxf|q`uF<>LdT-Rq<XHegV7zW3m$JQ3N3GeVg`@gvP_t_Yi1bU-
z<NA;sbN1I6b&jNl)mPuKc1F3HdB)9`+#NAhyM1FMt*nm;ai2X`xok-G4KkO;!!Knf
z3fPNDsCOVfGc{-$h5;N*`<}A7mVpb`MJNMrdw3AmZ^A_o(x?-|MbXFBVS_B98~0@1
zrpJpnV=K<s)AzNKP#c*^IE)N8q0XH-=B87C>%X^N*lTz&@Ub;boh(mh@WCpyuwZz?
z*qmR0y}aj~u@T_l`)x<ybHa?24|x8~v!D1U*(NMTBjU54-vT@lb-A7m#s3pY_iLuy
z4(8P_g}(+d8YN8qs(mZ$%9Rnri0IL%BtMU3ZBo9lHt3Q`Kt;CW;rsfUiC#sxijJ$!
zdF_^t@l^ab$|O<KR<REh<z7+GFo7evXuuEJf~f4mybOqdDv|>ZH?`Il01G|tAGF7?
zTgs(kn^;#;h*>=0cs<0p@6K`0@8FR61hF<icR!2IFEs`kg&4re&$LY~-jU=I6QFdo
zv+TyaBaJrDHOLa*-*;FeYHbpxrFevo>+b(vUmbca0}Xx$hYp2UZep9l!^}F#&@6X+
zbCB)9_SPo)nq()T)jXmd_uIk@4Y+nFnpIql!Q?FWw!h)NE(31G5z)t&npVDautuHc
zQ=}WdNBT#8`uEIA&D0e5XX~~xH3!>VJyAm1I{(3=!w~;w!QTKsQAqw})gIOyb3(@c
zjKe++$rm@!*ZNmFK^|SQo=<+q0bk&{##J3JM%Fn2R?>FrJBB`RZ*&HuVB|53l^eX3
zQUW-QC~<vsdU*M>A8EgpuP>Yw<@5HHltw%)20)GlJ4R5wl{L1$=?=hccqky;fx4oc
zYb7*$IFKKqw0cnH&0;6$m0-d2p}MzL!`7-@i+h;>rpCN-5)l`^9{XL*=9akfkGB>X
zQZi^qUvKoM(mhz{X?Z2p7MAFNV$F=3@dU$8R?r?Ygi9*^ITE#TSIr<z_!BYfvSpzX
zmx7VoTGi^(%WHL{p~Yz`D^>SisFiZlEZO!s+#oxcPc^Uf`xKs6Vx*urt6gYv4G(dz
zGCa<hHrMgYs9R3YhmC(X)SO)B&iX>A|G|O()7X3hwUh+skB*W4_?`W=wql<1HvQ`w
z24)Ckw4ZcCEM*p|TfDbFBD7^>LUo5jQAh)Cs^Qq8(lTUa?hVV3f)%{GVj0$4E^XQ;
zpdTA=INatbGIuNPO!v}|6v#GKq1s(A8hRpwD%=Bv>peA;uJ2dxKjjjC3vuWE?c1{b
zNZ0Z^0e*f9@Yf0Oi}Tni|Dl?S{erO_q`PU;LX$T5MB^S)v?^vz?I&|I3sKNo;s&^>
zw*0PB*^zflKeZ!NQfJtFWlOe!xq!VTnWxn*s!f?AL*=+(2(^vtAmM+1EKZ_1v#0>V
zxvK>4dfgb0XUeP&9*HMM!(up_2fgqaHN84Ykw_Q8Y++Xs3Pt?<Ui$W|;nx<QJ1h!4
z6URZx)N8fJ!s?@gI(H#A?D{hC;mE2PvKAZ66S^|n%G0Jg?>t)PNHNIi9WTC1DsttW
z9)zjBNTY*XJ<J%on!nc0i>H^vM2RpCp%SbZy{sv7pAbo|#E)U1O*^=G3i`Alhh)Oy
zsV%O`T%)OVMuO{r(3#Qv55WE_gy_YvmtbJE46{PaYpyQEF-+w(%sy9)EC*}e81ZWT
z)GHj=ogF+sH<oMJ_F}%VIbTLuUz$I3IHC51JwYSR8wUJG$TF#%9{6Ka<8KjoLyK5t
zwj%DM6ku^&TK|0GGLT}@N%}(`LWgc^r>3Ps8%cAtC+09dTx#8BtE{lJAuxb>II6NY
zG_!|ms_KiVMwv1|v$!YRO|c!QSitGJX%X`<iW2R<W?7MCj%t55;MEl&s^nvZRU+ev
z*Ju$?PUzsllIzq9Kuiv(w->(GqW6hqZO%FcR$4AFzd5sQKw5#=cCgS)Bq40pe~9NR
zjZWJ>uHj<?B=3)8P&#q&<yUgm!Xf`Nuyg-HY2aemyKB=_kM2^DQQDL9I@j-YTF2pW
z+}z@k+3k<U*d^}B12+?iDjq%rM=iMmn{iRRpRwBI@8XI@99%782J7US(<}6^)~V_`
z0Fkr@JUVkN>->mKijYI=`nBJLhwZL!iGwiH6B*38?B<GN2>}juKt*<v>6qYEn*c3b
zvUm3u=yBDvr4ls!x;R2sC&zN$Gy978xSMJT69Uc9*yCdxpUSX5mQLKln?G*BU{P6i
zU9OU@n#aoTdEBa?qY<*as-_26OW!gg!Yt@CxU@Ch;`*lKv(?7~vHWaqg3cum<F}8D
zc!vW_A7L-6(Ylc9Q{buTwzIDIfdmPQA6nFCCI0=epCmRsKcDyh(8>P_?AI?m?v&7?
zp)q+}e`I*+>59Cd(xg}24Jp7&mf2$_gnccv9FqV-hTZL=4$hF<G^@-{^To>}_i8k%
zN~`3{k0bA)YHe&vK+KE?!F`5Uxnt9Nv#myGLhAVIpe`Nt0Qx1CNb-#J-K^*qZqS&7
zv6ZU)VC1TUisC?srDwYXw0siJ1>$*IUh{22BcWT?^H14yA4>o+<|Ip>P>?pGY8K%Z
zrvzS*enqJLbmPNp=sIuc#;4K3kI*fllBqk<+@ur$(QX%7QtH@og5yGF)%M6?B+z2G
zu}ts{OTX@8nR=FcH{0TivD1eJB$~{f7YNYqEs10}S94?Z-4?kPl<@F_+A19(4EEE^
z=x>VczbRJF1NFZi+kXZ29~QR@G(EgjCrnbYuj-BI7sd!3!!MJ{2@xR59~d$K$NfSq
z57b|$kmzeLn@poX!{r2vaBi3iMFk^;%yNLsi*LghcusqjHFTMR;R1^%B0c*<iWDhy
QQp8H@WPB$d8MW^JA4$dx(*OVf

diff --git a/components/mbedtls/test/server_cert_chain.pem b/components/mbedtls/test/server_cert_chain.pem
index 1ba9a74b2f..afc99a9e30 100644
--- a/components/mbedtls/test/server_cert_chain.pem
+++ b/components/mbedtls/test/server_cert_chain.pem
@@ -1,63 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIFODCCAyCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ04x
-ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxJDAiBgNVBAMM
-G0VzcHJlc3NpZiBJbnRlcm1lZGlhdGUgdGVzdDAeFw0xOTEwMTEwMjU0MDdaFw0z
-MDA5MjMwMjU0MDdaMEgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTES
-MBAGA1UECgwJRXNwcmVzc2lmMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtr0++vUniW0Z9V2c6/gNV1hMvrxRogq7f
-uvRMxF0EqfmBIqacGe8PHhPIx+Jo7Kjq0AMZk9vNgnavjlmajzOgiJTCH1JYeQWC
-FOX6M2nT7VDFEIcfJFqTdKEhm+N75zTEMOAwi/jWXrYUITzp01bSBQIL8qBEIier
-Owq6tvFlTaqN5sjlMoOQ4UmyahpY9verb7ATO0+m+MaVXfdRVfc4rxsm1EoAsWff
-vfcTuDkXaoA2M65L7uNcPOrHDkcP5BlNMfYp6GH+GtX3pZ5dRUacxau7YG1hYoPQ
-92HvMZxeM/yhJ/YWRWyyH7R/2SEj1fPorN1IgxUR5KsNdEqfImcNAgMBAAGjggEY
-MIIBFDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0E
-JhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQW
-BBR8LwbfGcYMVc++Ugdoc2XXYXUOBzB7BgNVHSMEdDBygBSZ45naA62T1+k4QIyt
-n2h1bWyGOKFWpFQwUjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRIw
-EAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMME0VzcHJlc3NpZiBSb290IFRlc3SC
-AhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
-9w0BAQsFAAOCAgEAQ/9JU171woAvQlZ8gmYIOkyIfYQfKmhvw+2DoP+5r1+LOHtO
-frg9BshucqXlQ65yRWL8KaAIFKE4e/qBXnD/ZX8R8lR0aMKCgYVW6A1n0wWko/fU
-RNXt+sXr+fMX7h0HOC3mzWf2fZkR5B0jUSBQSVkXNt+jkjWOFIGzfHDKldgX5rVX
-vNmHwS5zRjbOvPaXrmNpV7wkQ/bRJbnFmbT5V6fwDFzdLzJami86eiT+C68d07/W
-We5htv20nYFYdwQJMWYlnGLPPaSE+n5m4QqsrlfR7uOgnuX3RfKHMsiWa7TxLA4g
-D9VZq88SQLshec/CIcYlSgnEfa9LxL2mKv386e9YWD2Oho/B33L5tdflihR5m1sd
-9xIgka9aXmHu8GEVaBRqzqtIReoa7KfmEQWYjqXH8YdDLMlMKl968Y7c779/SDxC
-1ibkanS1+2dPBYpoZldcnbH8w2dguk7luTuPlJxJph6NHGI7bbxL9z6yc5kJi2dS
-R4TNXI3UKZ5s7ZUPTv2nYMJIbyEzSjkxinLsr7rFLGlAIpAlRq1C6jmh1ArGA3H2
-jK0xYZcMN8Sz9gYV/zk/VTDMmiyZrYmZSxuhQFZCWaLN79z0pi5SefLW+1K6CzNj
-hah0wJEtzq492IQS0q3gH82iGM35Ffy+rtAWIsxrL/2wn+cOrPGvRdmR6J0=
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIIFjjCCA3agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCQ04x
-ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMM
-E0VzcHJlc3NpZiBSb290IFRlc3QwHhcNMTkxMDEwMTE1MDMyWhcNMjkxMDA3MTE1
-MDMyWjBaMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxEjAQBgNVBAoM
-CUVzcHJlc3NpZjEkMCIGA1UEAwwbRXNwcmVzc2lmIEludGVybWVkaWF0ZSB0ZXN0
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp7FJAjmfYsTlrcZPRJ3g
-+IiKW/Gm3q23X4xzdKUQopth3DPO9FDvnce9e7JwXa1WDF8CZqWkvKrJS0njEAUR
-JERLYSr28aVFUyodnfxp/+1B5aJFj7LHampLWXsnVCchHHZB0pYZ6KLrTUU73KKd
-WaJODtBrq5g9mNNZqVOOHljgr5r8AJefemsCs+LhGcqq8ZFWeZBwzF2YC0h+55hc
-7K5g0MnGnQHD3s5nuuSJ9Grz+NDvzESYjmZfTq56wXN6nQIi+4JYBpAx4y63n6NR
-0JPsSePDlnGC4KNmHOeF9nXMgvqEP1doLssKKWdPZub6VQHLTk5ILFr1JKaSPjgj
-4twKjCTzxN3dPmxY2KPq+tUtoXFxLxqrJk/HyBwiClxSlwhyAe9iZd3Lh0RFENEf
-jS6gdD7coLlkJzALLcUTp0VWFWpPT1MbgYMHnnOuKXjw6KWXz/iuxvOJO4ip3tRf
-ssuog/cMwmkxKC9oHfoIPBuafW42/os4aZwy/7fJgAFO/e1/n6T7T2qygNOKBvYq
-mS6SWm9OFhUJuUtPlUdvHiVDQx40S0a8Z2Rp4XcuBU0M8Toi3lkEwJX/l89Wsos+
-UOITA1B71HxkzHMZQNdXLfnV0tCtC6C3S8IktFm0Kfqa8ruXbjzkKg0I8Wfwyefv
-HTc7FRQpyYgXkVLt1ziA+4MCAwEAAaNmMGQwHQYDVR0OBBYEFJnjmdoDrZPX6ThA
-jK2faHVtbIY4MB8GA1UdIwQYMBaAFAqo9zQmHYRS1EF/1Fkb31gvGK9HMBIGA1Ud
-EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
-AQBl+7vf7T6K7JhHQTFfOlUNoy4rdau6eAfoQE1wybUNIeuKLqhXfn7uLhYLE9Tq
-LAYcMN8M8F2MFt7nNifbAFRiXCRRes6tFyQkjqG4SijvGoMiCL3pVYEgrET2qIm8
-Rvupsh/u2UuGivy7XzJmMzU6HhTjF/Yfc6AiPkISzMqxLtbzCD+3TOxNe9nalsFv
-gmQsCYUqVZCwdThvHMWY7lC+KZ/f0X8gyVHZpx6K/K+MbMSTzZZa7VEjcJcEQZ8r
-+Br0e9X3EkGsKbnq/kVouMZGrZtbOXYNjoVStNdobNaJ1d379xbt8UgkvvSUhJoK
-Y4pZoO3nZZUHslLDuLNG6m2tk1SHL7NPNhJoAGwqFtLyrUaUaGa+uIXev4xA0Cby
-vUn+PXLKo9NcnDI38l/NxVhqWvKAwkWww/GDdic7GGfzJVSr+K4q3dxy3JW1nh4n
-gaGSeKrP0lgO5NqJswGFSrY05lx06HKxHRJRtLf8g+llrGrhApRVqjM9t0By7CgK
-E/EgGWG6MyGi2YLenFdFzFRgqEsKVn11XV+rkaC1NSu7l7QfTSiHrynBsYcCTnzD
-z4QxJvlLon22Jp1qCwFVKXAE9wc/ncENqiA6vbjP9pq5yps+XbO2frdSQcNwHFIR
-aaL+u5SAcyr3qV0I7Wghq0Xoo00DV/pm9K78tIamtsmNhw==
+MIIDVTCCAj0CFG5WO5Ukqd/0PnrSPIlQnXNjrCUUMA0GCSqGSIb3DQEBCwUAMGIx
+CzAJBgNVBAYTAkNOMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFu
+Z2hhaTESMBAGA1UECgwJRXNwcmVzc2lmMRcwFQYDVQQDDA5Fc3ByZXNzaWYgUm9v
+dDAeFw0yMDAzMjYwNjQxMTlaFw0yMTAzMjEwNjQxMTlaMGwxCzAJBgNVBAYTAkNO
+MRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFuZ2hhaTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJJvZAWtBmNDUSF83sj6to
+qtZJZZ5gammo+TcTWxXbLotITcztxVnJfFymc/iZwqizcP2TyxuS3TmgpwdHZMel
+Z3PmYmfwDtN8lhadhEdxG5Hzm2FcLw+N/d/4l+NeCv/ZrYmodvh+23GgNHBY/X6R
+tMdriIRGpMU4iFgH3APy7NsEcmoiUgZsEc70n4nFkpWSANZl9zvOKTdjO+S5aO78
++YXvcFqAbHFEPOh3N/GEerV/3onDXRhL2mSFUUvHM7Pc75u7AvymUJCmVWemPon7
+YxpjgmVS8JyiwORPQQ5EC2tgbBkokEqfh1F+2TxZu2ezvOgnZI1QvlNnajIBvZ3B
+AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI2RzAwx1IiyWYPbSQOMjATKG1hiqNJF
+fkkqJrSfu93iQyye3Umb/pdUf7v5xgN2NrW5VnRow19VR7uCU4VCCBfx77f0Zp2e
+UA13qhT5zljoqgtkU9bHbRfTW/Hq30joKqQz8+Z0Yom6qZA7XjAhXXiHt7I4Noq6
+y+HwH08Xr1nII1c6Zc0cDqK9UV02w2v1RJrnGlq3v/CBpanA/nz4LdP5Jqbh79WW
+bCe8+Y7WEYR7K4dKSkDugf8ROAaGuCYAbhRMU3tFjNlMRR/5HcBpy7MfUvX6GcI0
+QCfe4ugnHXQXNxS0rb2uM6yCHOTiQ5MJjBPh9tRYV9bSko5u/NmwsFU=
 -----END CERTIFICATE-----
diff --git a/components/mbedtls/test/test_esp_crt_bundle.c b/components/mbedtls/test/test_esp_crt_bundle.c
index d3835d47a1..e0c8187a65 100644
--- a/components/mbedtls/test/test_esp_crt_bundle.c
+++ b/components/mbedtls/test/test_esp_crt_bundle.c
@@ -63,15 +63,21 @@ typedef struct {
     mbedtls_x509_crt cert;
     mbedtls_pk_context pkey;
 
-}mbedtls_endpoint_t;
+} mbedtls_endpoint_t;
+
+typedef enum {
+    ESP_CRT_VALIDATE_UNKNOWN,
+    ESP_CRT_VALIDATE_OK,
+    ESP_CRT_VALIDATE_FAIL,
+}esp_crt_validate_res_t;
 
 static const char *TAG = "cert_bundle_test";
 
 static volatile bool exit_flag;
 
-esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint);
+esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint);
 
-esp_err_t server_setup(mbedtls_endpoint_t * server)
+esp_err_t server_setup(mbedtls_endpoint_t *server)
 {
     int ret;
     mbedtls_ssl_config_init( &server->conf );
@@ -87,52 +93,49 @@ esp_err_t server_setup(mbedtls_endpoint_t * server)
     ret = mbedtls_x509_crt_parse( &server->cert, server_cert_chain_pem_start,
                                   server_cert_chain_pem_end - server_cert_chain_pem_start);
 
-    if( ret != 0 ) {
+    if ( ret != 0 ) {
         ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned %d", ret );
         return ESP_FAIL;
     }
 
-    ret =  mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start ,
+    ret =  mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start,
                                  server_pk_end - server_pk_start, NULL, 0 );
-    if( ret != 0 ) {
+    if ( ret != 0 ) {
         ESP_LOGE(TAG, "mbedtls_pk_parse_key returned %d", ret );
         return ESP_FAIL;
     }
 
     ESP_LOGI(TAG, "Bind on https://%s:%s/", SERVER_ADDRESS, SERVER_PORT );
-    if( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) {
+    if ( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) {
         ESP_LOGE(TAG, "mbedtls_net_bind returned %d", ret );
         return ESP_FAIL;
     }
+    mbedtls_net_set_nonblock(&server->listen_fd);
 
     ESP_LOGI(TAG, "Seeding the random number generator");
-    if( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy,
-                NULL, 0) ) != 0 ) {
+    if ( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy,
+                                        NULL, 0) ) != 0 ) {
         ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret );
         return ESP_FAIL;
     }
 
     ESP_LOGI(TAG, "Setting up the SSL data");
-    if( ( ret = mbedtls_ssl_config_defaults( &server->conf,
-                    MBEDTLS_SSL_IS_SERVER,
-                    MBEDTLS_SSL_TRANSPORT_STREAM,
-                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
-    {
+    if ( ( ret = mbedtls_ssl_config_defaults( &server->conf,
+                 MBEDTLS_SSL_IS_SERVER,
+                 MBEDTLS_SSL_TRANSPORT_STREAM,
+                 MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) {
         ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret );
         return ESP_FAIL;
     }
 
     mbedtls_ssl_conf_rng( &server->conf, mbedtls_ctr_drbg_random, &server->ctr_drbg );
-    mbedtls_ssl_conf_ca_chain( &server->conf, server->cert.next, NULL );
 
-    if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 )
-    {
+    if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 ) {
         ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned %d", ret );
         return ESP_FAIL;
     }
 
-    if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 )
-    {
+    if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 ) {
         ESP_LOGE(TAG, "mbedtls_ssl_setup returned %d", ret );
         return ESP_FAIL;
     }
@@ -151,27 +154,33 @@ void server_task(void *pvParameters)
         goto exit;
     }
 
-    ESP_LOGI(TAG, "Waiting for a remote connection" );
-    if( ( ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd,
-                                    NULL, 0, NULL ) ) != 0 ) {
-        ESP_LOGE(TAG, "mbedtls_net_accept returned %d", ret );
-        goto exit;
-    }
+    bool connected = false;
+    while (!exit_flag) {
 
-    mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
+        ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd, NULL, 0, NULL );
 
-    while(exit_flag == false) {
-        mbedtls_ssl_handshake( &server.ssl );
+        if (ret == 0) {
+            connected = true;
+        }
+
+        if (connected) {
+            mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
+            ret = mbedtls_ssl_handshake( &server.ssl );
+            mbedtls_ssl_session_reset(&server.ssl);
+            connected = false;
+        }
+
+        vTaskDelay(20 / portTICK_PERIOD_MS);
     }
     ESP_LOGE(TAG, "Server shutdown");
-    exit:
-        endpoint_teardown(&server);
-        xSemaphoreGive(*sema);
-        vTaskDelete(NULL);
+exit:
+    endpoint_teardown(&server);
+    xSemaphoreGive(*sema);
+    vTaskDelete(NULL);
 }
 
 
-esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint)
+esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint)
 {
     mbedtls_net_free( &endpoint->client_fd );
     mbedtls_net_free( &endpoint->listen_fd );
@@ -187,7 +196,7 @@ esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint)
     return ESP_OK;
 }
 
-esp_err_t client_setup(mbedtls_endpoint_t* client)
+esp_err_t client_setup(mbedtls_endpoint_t *client)
 {
     int ret;
     mbedtls_ssl_config_init( &client->conf );
@@ -199,24 +208,24 @@ esp_err_t client_setup(mbedtls_endpoint_t* client)
     mbedtls_ctr_drbg_init( &client->ctr_drbg );
 
     ESP_LOGI(TAG, "Seeding the random number generator");
-    if((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy,
-                                    NULL, 0)) != 0) {
+    if ((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy,
+                                     NULL, 0)) != 0) {
         ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret);
         return ESP_FAIL;
     }
 
     ESP_LOGI(TAG, "Setting hostname for TLS session...");
-     /* Hostname set here should match CN in server certificate */
-    if((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) {
+    /* Hostname set here should match CN in server certificate */
+    if ((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) {
         ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
         return ESP_FAIL;
     }
 
     ESP_LOGI(TAG, "Setting up the SSL/TLS structure...");
-    if((ret = mbedtls_ssl_config_defaults(&client->conf,
-                                          MBEDTLS_SSL_IS_CLIENT,
-                                          MBEDTLS_SSL_TRANSPORT_STREAM,
-                                          MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
+    if ((ret = mbedtls_ssl_config_defaults(&client->conf,
+                                           MBEDTLS_SSL_IS_CLIENT,
+                                           MBEDTLS_SSL_TRANSPORT_STREAM,
+                                           MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
         ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret);
         return ESP_FAIL;
     }
@@ -230,21 +239,26 @@ esp_err_t client_setup(mbedtls_endpoint_t* client)
     return ESP_OK;
 }
 
-void client_task(void *pvParameters)
+int client_task(const uint8_t *bundle, esp_crt_validate_res_t *res)
 {
-    int ret;
-
-    xSemaphoreHandle *sema = (xSemaphoreHandle *) pvParameters;
+    int ret = ESP_FAIL;
 
     mbedtls_endpoint_t client;
 
-    if(client_setup(&client) != ESP_OK) {
+    *res = ESP_CRT_VALIDATE_UNKNOWN;
+
+    if (client_setup(&client) != ESP_OK) {
         ESP_LOGE(TAG, "SSL client setup failed");
         goto exit;
     }
 
-    // Set the custom bundle which DOESN'T includes the server's root certificate (default bundle)
     esp_crt_bundle_attach(&client.conf);
+    if (bundle) {
+        /* Set a bundle different from the menuconfig bundle */
+        esp_crt_bundle_set(bundle);
+    }
+
+
 
     ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
     if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
@@ -256,57 +270,61 @@ void client_task(void *pvParameters)
     mbedtls_ssl_set_bio(&client.ssl, &client.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
 
     ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle that is missing the server root certificate");
-    ret = mbedtls_ssl_handshake(&client.ssl);
+    while ( ( ret = mbedtls_ssl_handshake( &client.ssl ) ) != 0 ) {
+        if ( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) {
+            printf( "mbedtls_ssl_handshake failed with -0x%x\n", -ret );
+            break;
+        }
+    }
 
     ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
-    TEST_ASSERT(mbedtls_ssl_get_verify_result(&client.ssl) != 0);
+    ret  = mbedtls_ssl_get_verify_result(&client.ssl);
+
+    *res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
+
 
     // Reset session before new connection
     mbedtls_ssl_close_notify(&client.ssl);
     mbedtls_ssl_session_reset(&client.ssl);
-
-    // Set the custom bundle which includes the server's root certificate
-    esp_crt_bundle_set(server_cert_bundle_start);
-
-    ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle containing the server root certificate");
-    ret = mbedtls_ssl_handshake(&client.ssl);
-
-    ESP_LOGI(TAG, "Verifying peer X.509 certificate ...");
-    ret = mbedtls_ssl_get_verify_result(&client.ssl);
-    TEST_ASSERT(ret == 0);
-
-    if(ret == 0) {
-        ESP_LOGI(TAG, "Certificate validated");
-    }
+    mbedtls_net_free( &client.client_fd);
 
 
-    exit_flag = true;
+exit:
+    mbedtls_ssl_close_notify(&client.ssl);
+    mbedtls_ssl_session_reset(&client.ssl);
+    esp_crt_bundle_detach(&client.conf);
+    endpoint_teardown(&client);
 
-    exit:
-        mbedtls_ssl_close_notify(&client.ssl);
-        mbedtls_ssl_session_reset(&client.ssl);
-        esp_crt_bundle_detach(&client.conf);
-        endpoint_teardown(&client);
-        xSemaphoreGive(*sema);
-        vTaskDelete(NULL);
+    return ret;
 }
 
 TEST_CASE("custom certificate bundle", "[mbedtls]")
 {
+    esp_crt_validate_res_t validate_res;
+
     test_case_uses_tcpip();
 
-    xSemaphoreHandle exit_sema = xSemaphoreCreateCounting(2, 0);
+    xSemaphoreHandle exit_sema = xSemaphoreCreateBinary();
 
-    xTaskCreate(server_task, "server task", 8192, &exit_sema, 5, NULL);
+    exit_flag = false;
+    xTaskCreate(server_task, "server task", 8192, &exit_sema, 10, NULL);
 
     // Wait for the server to start up
     vTaskDelay(100 / portTICK_PERIOD_MS);
-    xTaskCreate(client_task, "https_get_task", 8192, &exit_sema, 5, NULL);
 
-    for(int i = 0; i < 2; i++) {
-        if(!xSemaphoreTake(exit_sema, 10000/portTICK_PERIOD_MS)) {
-            TEST_FAIL_MESSAGE("exit_sem not released by test task");
-        }
+    /* Test with default crt bundle that doesnt contain the ca crt */
+    client_task(NULL, &validate_res);
+    TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_FAIL);
+
+    /* Test with bundle that does contain the CA crt */
+    client_task(server_cert_bundle_start, &validate_res);
+    TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_OK);
+
+    exit_flag = true;
+
+    if (!xSemaphoreTake(exit_sema, 10000 / portTICK_PERIOD_MS)) {
+        TEST_FAIL_MESSAGE("exit_sem not released by server task");
     }
+
     vSemaphoreDelete(exit_sema);
-}
\ No newline at end of file
+}