From bbdf36667a04af6786c80f8cc34fdc46a2447706 Mon Sep 17 00:00:00 2001
From: Espressif Systems <wujiangang@espressif.com>
Date: Sat, 4 Feb 2017 10:51:11 +0800
Subject: [PATCH] openssl: sync openssl wrap layer from esp-idf and add
 openssl_demo

---
 examples/openssl_demo/Makefile                |  123 ++
 examples/openssl_demo/gen_misc.sh             |  165 ++
 examples/openssl_demo/include/openssl_demo.h  |    6 +
 examples/openssl_demo/include/user_config.h   |   34 +
 examples/openssl_demo/programs/Makefile       |   47 +
 examples/openssl_demo/programs/openssl_demo.c |  174 ++
 examples/openssl_demo/user/Makefile           |   44 +
 examples/openssl_demo/user/user_main.c        |  108 +
 include/openssl/internal/ssl3.h               |   44 +
 include/openssl/internal/ssl_cert.h           |   55 +
 include/openssl/internal/ssl_code.h           |  124 ++
 include/openssl/internal/ssl_dbg.h            |  191 ++
 include/openssl/internal/ssl_lib.h            |   28 +
 include/openssl/internal/ssl_methods.h        |  121 ++
 include/openssl/internal/ssl_pkey.h           |   86 +
 include/openssl/internal/ssl_stack.h          |   52 +
 include/openssl/internal/ssl_types.h          |  288 +++
 include/openssl/internal/ssl_x509.h           |  108 +
 include/openssl/internal/tls1.h               |   55 +
 include/openssl/internal/x509_vfy.h           |  111 +
 include/openssl/mbedtls_ssl.h                 |   50 -
 include/openssl/openssl/ssl.h                 | 1755 ++++++++++++++++
 include/openssl/platform/ssl_opt.h            |   89 +
 include/openssl/platform/ssl_pm.h             |   59 +
 include/openssl/platform/ssl_port.h           |   81 +
 include/openssl/ssl_compat-1.0.h              |   50 -
 include/openssl/ssl_ctx.h                     |   71 -
 include/openssl/ssl_debug.h                   |   14 -
 include/openssl/ssl_opt.h                     |   32 -
 lib/libopenssl.a                              |  Bin 23444 -> 99006 bytes
 third_party/openssl/Makefile                  |  101 +-
 third_party/openssl/OpenSSL-APIs.rst          | 1797 +++++++++++++++++
 third_party/openssl/library/Makefile          |   46 +
 third_party/openssl/library/ssl_cert.c        |   87 +
 third_party/openssl/library/ssl_lib.c         | 1556 ++++++++++++++
 third_party/openssl/library/ssl_methods.c     |   81 +
 third_party/openssl/library/ssl_pkey.c        |  239 +++
 third_party/openssl/library/ssl_stack.c       |   74 +
 third_party/openssl/library/ssl_x509.c        |  285 +++
 third_party/openssl/mbedtls_ssl.c             |  470 -----
 third_party/openssl/platform/Makefile         |   46 +
 third_party/openssl/platform/ssl_pm.c         |  667 ++++++
 third_party/openssl/ssl_ctx.c                 |  180 --
 43 files changed, 8880 insertions(+), 914 deletions(-)
 create mode 100644 examples/openssl_demo/Makefile
 create mode 100755 examples/openssl_demo/gen_misc.sh
 create mode 100644 examples/openssl_demo/include/openssl_demo.h
 create mode 100644 examples/openssl_demo/include/user_config.h
 create mode 100644 examples/openssl_demo/programs/Makefile
 create mode 100644 examples/openssl_demo/programs/openssl_demo.c
 create mode 100644 examples/openssl_demo/user/Makefile
 create mode 100644 examples/openssl_demo/user/user_main.c
 create mode 100644 include/openssl/internal/ssl3.h
 create mode 100755 include/openssl/internal/ssl_cert.h
 create mode 100644 include/openssl/internal/ssl_code.h
 create mode 100644 include/openssl/internal/ssl_dbg.h
 create mode 100755 include/openssl/internal/ssl_lib.h
 create mode 100755 include/openssl/internal/ssl_methods.h
 create mode 100755 include/openssl/internal/ssl_pkey.h
 create mode 100755 include/openssl/internal/ssl_stack.h
 create mode 100755 include/openssl/internal/ssl_types.h
 create mode 100755 include/openssl/internal/ssl_x509.h
 create mode 100644 include/openssl/internal/tls1.h
 create mode 100644 include/openssl/internal/x509_vfy.h
 delete mode 100644 include/openssl/mbedtls_ssl.h
 create mode 100755 include/openssl/openssl/ssl.h
 create mode 100644 include/openssl/platform/ssl_opt.h
 create mode 100755 include/openssl/platform/ssl_pm.h
 create mode 100755 include/openssl/platform/ssl_port.h
 delete mode 100644 include/openssl/ssl_compat-1.0.h
 delete mode 100644 include/openssl/ssl_ctx.h
 delete mode 100644 include/openssl/ssl_debug.h
 delete mode 100644 include/openssl/ssl_opt.h
 create mode 100644 third_party/openssl/OpenSSL-APIs.rst
 create mode 100644 third_party/openssl/library/Makefile
 create mode 100755 third_party/openssl/library/ssl_cert.c
 create mode 100755 third_party/openssl/library/ssl_lib.c
 create mode 100644 third_party/openssl/library/ssl_methods.c
 create mode 100755 third_party/openssl/library/ssl_pkey.c
 create mode 100644 third_party/openssl/library/ssl_stack.c
 create mode 100755 third_party/openssl/library/ssl_x509.c
 delete mode 100644 third_party/openssl/mbedtls_ssl.c
 create mode 100644 third_party/openssl/platform/Makefile
 create mode 100644 third_party/openssl/platform/ssl_pm.c
 delete mode 100644 third_party/openssl/ssl_ctx.c

diff --git a/examples/openssl_demo/Makefile b/examples/openssl_demo/Makefile
new file mode 100644
index 00000000..8f76385b
--- /dev/null
+++ b/examples/openssl_demo/Makefile
@@ -0,0 +1,123 @@
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of object file images to be generated ()
+#   GEN_BINS - list of binaries to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+TARGET = eagle
+#FLAVOR = release
+FLAVOR = debug
+
+#EXTRA_CCFLAGS += -u
+
+ifndef PDIR # {
+GEN_IMAGES= eagle.app.v6.out
+GEN_BINS= eagle.app.v6.bin
+SPECIAL_MKTARGETS=$(APP_MKTARGETS)
+SUBDIRS=    \
+	user    \
+	programs
+
+endif # } PDIR
+
+LDDIR = $(SDK_PATH)/ld
+
+CCFLAGS += -Os
+
+TARGET_LDFLAGS =		\
+	-nostdlib		\
+	-Wl,-EL \
+	--longcalls \
+	--text-section-literals
+
+ifeq ($(FLAVOR),debug)
+    TARGET_LDFLAGS += -g -O2
+endif
+
+ifeq ($(FLAVOR),release)
+    TARGET_LDFLAGS += -g -O0
+endif
+
+COMPONENTS_eagle.app.v6 = \
+	user/libuser.a  \
+	programs/openssl_demo.a
+
+LINKFLAGS_eagle.app.v6 =    \
+    -L$(SDK_PATH)/lib       \
+    -Wl,--gc-sections       \
+    -nostdlib               \
+    -T$(LD_FILE)            \
+    -Wl,--no-check-sections \
+    -u call_user_start      \
+    -Wl,-static             \
+    -Wl,--start-group       \
+    -lcirom                 \
+    -lgcc                   \
+    -lhal                   \
+    -lcrypto                \
+    -lfreertos              \
+    -llwip                  \
+    -lmain                  \
+    -lnet80211              \
+    -lphy                   \
+    -lpp                    \
+    -lmbedtls               \
+    -lopenssl               \
+    -lwpa                   \
+    $(DEP_LIBS_eagle.app.v6)\
+    -Wl,--end-group
+
+DEPENDS_eagle.app.v6 = \
+                $(LD_FILE) \
+                $(LDDIR)/eagle.rom.addr.v6.ld
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+
+#UNIVERSAL_TARGET_DEFINES =		\
+
+# Other potential configuration flags include:
+#	-DTXRX_TXBUF_DEBUG
+#	-DTXRX_RXBUF_DEBUG
+#	-DWLAN_CONFIG_CCX
+CONFIGURATION_DEFINES =	-DICACHE_FLASH
+
+DEFINES +=				\
+	$(UNIVERSAL_TARGET_DEFINES)	\
+	$(CONFIGURATION_DEFINES)
+
+DDEFINES +=				\
+	$(UNIVERSAL_TARGET_DEFINES)	\
+	$(CONFIGURATION_DEFINES)
+
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(PDIR)include -I include -I $(SDK_PATH)/include/openssl
+sinclude $(SDK_PATH)/Makefile
+
+.PHONY: FORCE
+FORCE:
+
diff --git a/examples/openssl_demo/gen_misc.sh b/examples/openssl_demo/gen_misc.sh
new file mode 100755
index 00000000..08d4fbb6
--- /dev/null
+++ b/examples/openssl_demo/gen_misc.sh
@@ -0,0 +1,165 @@
+#!/bin/bash
+
+echo "gen_misc.sh version 20150911"
+echo ""
+
+if [ $SDK_PATH ]; then
+    echo "SDK_PATH:"
+    echo "$SDK_PATH"
+    echo ""
+else
+    echo "ERROR: Please export SDK_PATH in gen_misc.sh firstly, exit!!!"
+    exit
+fi
+
+if [ $BIN_PATH ]; then
+    echo "BIN_PATH:"
+    echo "$BIN_PATH"
+    echo ""
+else
+    echo "ERROR: Please export BIN_PATH in gen_misc.sh firstly, exit!!!"
+    exit
+fi
+
+echo "Please check SDK_PATH & BIN_PATH, enter (Y/y) to continue:"
+read input
+
+if [[ $input != Y ]] && [[ $input != y ]]; then
+    exit
+fi
+
+echo ""
+
+echo "Please follow below steps(1-5) to generate specific bin(s):"
+echo "STEP 1: use boot_v1.2+ by default"
+boot=new
+
+echo "boot mode: $boot"
+echo ""
+
+echo "STEP 2: choose bin generate(0=eagle.flash.bin+eagle.irom0text.bin, 1=user1.bin, 2=user2.bin)"
+echo "enter (0/1/2, default 0):"
+read input
+
+if [ -z "$input" ]; then
+    if [ $boot != none ]; then
+    	boot=none
+	echo "ignore boot"
+    fi
+    app=0
+    echo "generate bin: eagle.flash.bin+eagle.irom0text.bin"
+elif [ $input == 1 ]; then
+    if [ $boot == none ]; then
+    	app=0
+	echo "choose no boot before"
+	echo "generate bin: eagle.flash.bin+eagle.irom0text.bin"
+    else
+	app=1
+        echo "generate bin: user1.bin"
+    fi
+elif [ $input == 2 ]; then
+    if [ $boot == none ]; then
+    	app=0
+	echo "choose no boot before"
+	echo "generate bin: eagle.flash.bin+eagle.irom0text.bin"
+    else
+    	app=2
+    	echo "generate bin: user2.bin"
+    fi
+else
+    if [ $boot != none ]; then
+    	boot=none
+	echo "ignore boot"
+    fi
+    app=0
+    echo "generate bin: eagle.flash.bin+eagle.irom0text.bin"
+fi
+
+echo ""
+
+echo "STEP 3: choose spi speed(0=20MHz, 1=26.7MHz, 2=40MHz, 3=80MHz)"
+echo "enter (0/1/2/3, default 2):"
+read input
+
+if [ -z "$input" ]; then
+    spi_speed=40
+elif [ $input == 0 ]; then
+    spi_speed=20
+elif [ $input == 1 ]; then
+    spi_speed=26.7
+elif [ $input == 3 ]; then
+    spi_speed=80
+else
+    spi_speed=40
+fi
+
+echo "spi speed: $spi_speed MHz"
+echo ""
+
+echo "STEP 4: choose spi mode(0=QIO, 1=QOUT, 2=DIO, 3=DOUT)"
+echo "enter (0/1/2/3, default 0):"
+read input
+
+if [ -z "$input" ]; then
+    spi_mode=QIO
+elif [ $input == 1 ]; then
+    spi_mode=QOUT
+elif [ $input == 2 ]; then
+    spi_mode=DIO
+elif [ $input == 3 ]; then
+    spi_mode=DOUT
+else
+    spi_mode=QIO
+fi
+
+echo "spi mode: $spi_mode"
+echo ""
+
+echo "STEP 5: choose spi size and map"
+echo "    0= 512KB( 256KB+ 256KB)"
+echo "    2=1024KB( 512KB+ 512KB)"
+echo "    3=2048KB( 512KB+ 512KB)"
+echo "    4=4096KB( 512KB+ 512KB)"
+echo "    5=2048KB(1024KB+1024KB)"
+echo "    6=4096KB(1024KB+1024KB)"
+echo "enter (0/2/3/4/5/6, default 0):"
+read input
+
+if [ -z "$input" ]; then
+    spi_size_map=0
+    echo "spi size: 512KB"
+    echo "spi ota map:  256KB + 256KB"
+elif [ $input == 2 ]; then
+    spi_size_map=2
+    echo "spi size: 1024KB"
+    echo "spi ota map:  512KB + 512KB"
+elif [ $input == 3 ]; then
+    spi_size_map=3
+    echo "spi size: 2048KB"
+    echo "spi ota map:  512KB + 512KB"
+elif [ $input == 4 ]; then
+    spi_size_map=4
+    echo "spi size: 4096KB"
+    echo "spi ota map:  512KB + 512KB"
+elif [ $input == 5 ]; then
+    spi_size_map=5
+    echo "spi size: 2048KB"
+    echo "spi ota map:  1024KB + 1024KB"
+elif [ $input == 6 ]; then
+    spi_size_map=6
+    echo "spi size: 4096KB"
+    echo "spi ota map:  1024KB + 1024KB"
+else
+    spi_size_map=0
+    echo "spi size: 512KB"
+    echo "spi ota map:  256KB + 256KB"
+fi
+
+echo ""
+
+echo "start..."
+echo ""
+
+make clean
+
+make BOOT=$boot APP=$app SPI_SPEED=$spi_speed SPI_MODE=$spi_mode SPI_SIZE_MAP=$spi_size_map
diff --git a/examples/openssl_demo/include/openssl_demo.h b/examples/openssl_demo/include/openssl_demo.h
new file mode 100644
index 00000000..2a8b3f71
--- /dev/null
+++ b/examples/openssl_demo/include/openssl_demo.h
@@ -0,0 +1,6 @@
+#ifndef _OPENSSL_DEMO_H_
+#define _OPENSSL_DEMO_H_
+
+void user_conn_init(void);
+
+#endif
diff --git a/examples/openssl_demo/include/user_config.h b/examples/openssl_demo/include/user_config.h
new file mode 100644
index 00000000..dc4e128c
--- /dev/null
+++ b/examples/openssl_demo/include/user_config.h
@@ -0,0 +1,34 @@
+/*
+ * ESPRSSIF MIT License
+ *
+ * Copyright (c) 2015 <ESPRESSIF SYSTEMS (SHANGHAI) PTE LTD>
+ *
+ * Permission is hereby granted for use on ESPRESSIF SYSTEMS ESP8266 only, in which case,
+ * it is free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in all copies or
+ * substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+#ifndef __USER_CONFIG_H__
+#define __USER_CONFIG_H__
+
+#include "openssl_demo.h"
+
+#define SSID "UTT-750"
+#define PASSWORD "espressif"
+
+#endif
+
diff --git a/examples/openssl_demo/programs/Makefile b/examples/openssl_demo/programs/Makefile
new file mode 100644
index 00000000..5c74dba6
--- /dev/null
+++ b/examples/openssl_demo/programs/Makefile
@@ -0,0 +1,47 @@
+
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of images to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+ifndef PDIR
+
+UP_EXTRACT_DIR = ..
+GEN_LIBS = openssl_demo.a
+		       
+endif
+
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+#DEFINES += 
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(PDIR)include
+INCLUDES += -I ./
+PDIR := ../$(PDIR)
+sinclude $(PDIR)Makefile
+
diff --git a/examples/openssl_demo/programs/openssl_demo.c b/examples/openssl_demo/programs/openssl_demo.c
new file mode 100644
index 00000000..cc98c4be
--- /dev/null
+++ b/examples/openssl_demo/programs/openssl_demo.c
@@ -0,0 +1,174 @@
+#include <stddef.h>
+#include "openssl_demo.h"
+#include "openssl/ssl.h"
+#include "freertos/FreeRTOS.h"
+#include "freertos/task.h"
+#include "espressif/c_types.h"
+#include "lwip/sockets.h"
+
+#define OPENSSL_DEMO_THREAD_NAME "ssl_demo"
+#define OPENSSL_DEMO_THREAD_STACK_WORDS 2048
+#define OPENSSL_DEMO_THREAD_PRORIOTY 6
+
+#define OPENSSL_DEMO_FRAGMENT_SIZE 8192
+
+#define OPENSSL_DEMO_LOCAL_TCP_PORT 1000
+
+#define OPENSSL_DEMO_TARGET_NAME "www.baidu.com"
+#define OPENSSL_DEMO_TARGET_TCP_PORT 443
+
+#define OPENSSL_DEMO_REQUEST "{\"path\": \"/v1/ping/\", \"method\": \"GET\"}\r\n"
+
+#define OPENSSL_DEMO_RECV_BUF_LEN 1024
+
+LOCAL xTaskHandle openssl_handle;
+
+LOCAL char send_data[] = OPENSSL_DEMO_REQUEST;
+LOCAL int send_bytes = sizeof(send_data);
+
+LOCAL char recv_buf[OPENSSL_DEMO_RECV_BUF_LEN];
+
+LOCAL void openssl_demo_thread(void *p)
+{
+    int ret;
+
+    SSL_CTX *ctx;
+    SSL *ssl;
+
+    int socket;
+    struct sockaddr_in sock_addr;
+
+    ip_addr_t target_ip;
+
+    int recv_bytes = 0;
+
+    os_printf("OpenSSL demo thread start...\n");
+
+    do {
+        ret = netconn_gethostbyname(OPENSSL_DEMO_TARGET_NAME, &target_ip);
+    } while(ret);
+    os_printf("get target IP is %d.%d.%d.%d\n", (unsigned char)((target_ip.addr & 0x000000ff) >> 0),
+                                                (unsigned char)((target_ip.addr & 0x0000ff00) >> 8),
+                                                (unsigned char)((target_ip.addr & 0x00ff0000) >> 16),
+                                                (unsigned char)((target_ip.addr & 0xff000000) >> 24));
+
+    os_printf("create SSL context ......");
+    ctx = SSL_CTX_new(TLSv1_1_client_method());
+    if (!ctx) {
+        os_printf("failed\n");
+        goto failed1;
+    }
+    os_printf("OK\n");
+
+    os_printf("set SSL context read buffer size ......");
+    SSL_CTX_set_default_read_buffer_len(ctx, OPENSSL_DEMO_FRAGMENT_SIZE);
+    ret = 0;
+    if (ret) {
+        os_printf("failed, return %d\n", ret);
+        goto failed2;
+    }
+    os_printf("OK\n");
+
+    os_printf("create socket ......");
+    socket = socket(AF_INET, SOCK_STREAM, 0);
+    if (socket < 0) {
+        os_printf("failed\n");
+        goto failed3;
+    }
+    os_printf("OK\n");
+
+    os_printf("bind socket ......");
+    memset(&sock_addr, 0, sizeof(sock_addr));
+    sock_addr.sin_family = AF_INET;
+    sock_addr.sin_addr.s_addr = 0;
+    sock_addr.sin_port = htons(OPENSSL_DEMO_LOCAL_TCP_PORT);
+    ret = bind(socket, (struct sockaddr*)&sock_addr, sizeof(sock_addr));
+    if (ret) {
+        os_printf("failed\n");
+        goto failed4;
+    }
+    os_printf("OK\n");
+
+    os_printf("socket connect to remote ......");
+    memset(&sock_addr, 0, sizeof(sock_addr));
+    sock_addr.sin_family = AF_INET;
+    sock_addr.sin_addr.s_addr = target_ip.addr;
+    sock_addr.sin_port = htons(OPENSSL_DEMO_TARGET_TCP_PORT);
+    ret = connect(socket, (struct sockaddr*)&sock_addr, sizeof(sock_addr));
+    if (ret) {
+        os_printf("failed\n", OPENSSL_DEMO_TARGET_NAME);
+        goto failed5;
+    }
+    os_printf("OK\n");
+
+    os_printf("create SSL ......");
+    ssl = SSL_new(ctx);
+    if (!ssl) {
+        os_printf("failed\n");
+        goto failed6;
+    }
+    os_printf("OK\n");
+
+    SSL_set_fd(ssl, socket);
+
+    os_printf("SSL connected to %s port %d ......", OPENSSL_DEMO_TARGET_NAME, OPENSSL_DEMO_TARGET_TCP_PORT);
+    ret = SSL_connect(ssl);
+    if (!ret) {
+        os_printf("failed, return [-0x%x]\n", -ret);
+        goto failed7;
+    }
+    os_printf("OK\n");
+
+    os_printf("send request to %s port %d ......", OPENSSL_DEMO_TARGET_NAME, OPENSSL_DEMO_TARGET_TCP_PORT);
+    ret = SSL_write(ssl, send_data, send_bytes);
+    if (ret <= 0) {
+        os_printf("failed, return [-0x%x]\n", -ret);
+        goto failed8;
+    }
+    os_printf("OK\n\n");
+
+    do {
+        ret = SSL_read(ssl, recv_buf, OPENSSL_DEMO_RECV_BUF_LEN - 1);
+        if (ret <= 0) {
+            break;
+        }
+        recv_bytes += ret;
+        os_printf("%s", recv_buf);
+    } while (1);
+    os_printf("read %d bytes data from %s ......\n", recv_bytes, OPENSSL_DEMO_TARGET_NAME);
+
+failed8:
+    SSL_shutdown(ssl);
+failed7:
+    SSL_free(ssl);
+failed6:
+failed5:
+failed4:
+    close(socket);
+failed3:
+failed2:
+    SSL_CTX_free(ctx);
+failed1:
+    vTaskDelete(NULL);
+
+    os_printf("task exit\n");
+
+    return ;
+}
+
+void user_conn_init(void)
+{
+    int ret;
+
+    ret = xTaskCreate(openssl_demo_thread,
+                      OPENSSL_DEMO_THREAD_NAME,
+                      OPENSSL_DEMO_THREAD_STACK_WORDS,
+                      NULL,
+                      OPENSSL_DEMO_THREAD_PRORIOTY,
+                      &openssl_handle);
+    if (ret != pdPASS)  {
+        os_printf("create thread %s failed\n", OPENSSL_DEMO_THREAD_NAME);
+        return ;
+    }
+}
+
diff --git a/examples/openssl_demo/user/Makefile b/examples/openssl_demo/user/Makefile
new file mode 100644
index 00000000..d57d85da
--- /dev/null
+++ b/examples/openssl_demo/user/Makefile
@@ -0,0 +1,44 @@
+
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of images to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+ifndef PDIR
+GEN_LIBS = libuser.a
+endif
+
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+#DEFINES += 
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(PDIR)include
+INCLUDES += -I ./
+PDIR := ../$(PDIR)
+sinclude $(PDIR)Makefile
+
diff --git a/examples/openssl_demo/user/user_main.c b/examples/openssl_demo/user/user_main.c
new file mode 100644
index 00000000..02727d2f
--- /dev/null
+++ b/examples/openssl_demo/user/user_main.c
@@ -0,0 +1,108 @@
+/*
+ * ESPRSSIF MIT License
+ *
+ * Copyright (c) 2015 <ESPRESSIF SYSTEMS (SHANGHAI) PTE LTD>
+ *
+ * Permission is hereby granted for use on ESPRESSIF SYSTEMS ESP8266 only, in which case,
+ * it is free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including
+ * without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the Software is furnished
+ * to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or
+ * substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+#include "esp_common.h"
+#include "user_config.h"
+
+/******************************************************************************
+ * FunctionName : user_rf_cal_sector_set
+ * Description  : SDK just reversed 4 sectors, used for rf init data and paramters.
+ *                We add this function to force users to set rf cal sector, since
+ *                we don't know which sector is free in user's application.
+ *                sector map for last several sectors : ABCCC
+ *                A : rf cal
+ *                B : rf init data
+ *                C : sdk parameters
+ * Parameters   : none
+ * Returns      : rf cal sector
+*******************************************************************************/
+uint32 user_rf_cal_sector_set(void)
+{
+    flash_size_map size_map = system_get_flash_size_map();
+    uint32 rf_cal_sec = 0;
+
+    switch (size_map) {
+        case FLASH_SIZE_4M_MAP_256_256:
+            rf_cal_sec = 128 - 5;
+            break;
+
+        case FLASH_SIZE_8M_MAP_512_512:
+            rf_cal_sec = 256 - 5;
+            break;
+
+        case FLASH_SIZE_16M_MAP_512_512:
+        case FLASH_SIZE_16M_MAP_1024_1024:
+            rf_cal_sec = 512 - 5;
+            break;
+
+        case FLASH_SIZE_32M_MAP_512_512:
+        case FLASH_SIZE_32M_MAP_1024_1024:
+            rf_cal_sec = 1024 - 5;
+            break;
+
+        default:
+            rf_cal_sec = 0;
+            break;
+    }
+
+    return rf_cal_sec;
+}
+
+void wifi_event_handler_cb(System_Event_t *event)
+{
+    if (event == NULL) {
+        return;
+    }
+
+    switch (event->event_id) {
+        case EVENT_STAMODE_GOT_IP:
+            os_printf("sta got ip , creat task %d\n", system_get_free_heap_size());
+            user_conn_init();
+            break;
+
+        default:
+            break;
+    }
+}
+
+/******************************************************************************
+ * FunctionName : user_init
+ * Description  : entry of user application, init user function here
+ * Parameters   : none
+ * Returns      : none
+*******************************************************************************/
+void user_init(void)
+{
+    os_printf("SDK version:%s %d\n", system_get_sdk_version(), system_get_free_heap_size());
+    wifi_set_opmode(STATION_MODE);
+
+    // set AP parameter
+    struct station_config config;
+    bzero(&config, sizeof(struct station_config));
+    sprintf(config.ssid, SSID);
+    sprintf(config.password, PASSWORD);
+    wifi_station_set_config(&config);
+
+    wifi_set_event_handler_cb(wifi_event_handler_cb);
+}
diff --git a/include/openssl/internal/ssl3.h b/include/openssl/internal/ssl3.h
new file mode 100644
index 00000000..007b392f
--- /dev/null
+++ b/include/openssl/internal/ssl3.h
@@ -0,0 +1,44 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL3_H_
+#define _SSL3_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+# define SSL3_AD_CLOSE_NOTIFY             0
+# define SSL3_AD_UNEXPECTED_MESSAGE      10/* fatal */
+# define SSL3_AD_BAD_RECORD_MAC          20/* fatal */
+# define SSL3_AD_DECOMPRESSION_FAILURE   30/* fatal */
+# define SSL3_AD_HANDSHAKE_FAILURE       40/* fatal */
+# define SSL3_AD_NO_CERTIFICATE          41
+# define SSL3_AD_BAD_CERTIFICATE         42
+# define SSL3_AD_UNSUPPORTED_CERTIFICATE 43
+# define SSL3_AD_CERTIFICATE_REVOKED     44
+# define SSL3_AD_CERTIFICATE_EXPIRED     45
+# define SSL3_AD_CERTIFICATE_UNKNOWN     46
+# define SSL3_AD_ILLEGAL_PARAMETER       47/* fatal */
+
+# define SSL3_AL_WARNING                  1
+# define SSL3_AL_FATAL                    2
+
+#define SSL3_VERSION                 0x0300
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_cert.h b/include/openssl/internal/ssl_cert.h
new file mode 100755
index 00000000..86cf31ad
--- /dev/null
+++ b/include/openssl/internal/ssl_cert.h
@@ -0,0 +1,55 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_CERT_H_
+#define _SSL_CERT_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_types.h"
+
+/**
+ * @brief create a certification object include private key object according to input certification
+ *
+ * @param ic - input certification point
+ *
+ * @return certification object point
+ */
+CERT *__ssl_cert_new(CERT *ic);
+
+/**
+ * @brief create a certification object include private key object
+ *
+ * @param none
+ *
+ * @return certification object point
+ */
+CERT* ssl_cert_new(void);
+
+/**
+ * @brief free a certification object
+ *
+ * @param cert - certification object point
+ *
+ * @return none
+ */
+void ssl_cert_free(CERT *cert);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_code.h b/include/openssl/internal/ssl_code.h
new file mode 100644
index 00000000..80fdbb20
--- /dev/null
+++ b/include/openssl/internal/ssl_code.h
@@ -0,0 +1,124 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_CODE_H_
+#define _SSL_CODE_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl3.h"
+#include "tls1.h"
+#include "x509_vfy.h"
+
+/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+# define SSL_SENT_SHUTDOWN       1
+# define SSL_RECEIVED_SHUTDOWN   2
+
+# define SSL_VERIFY_NONE                 0x00
+# define SSL_VERIFY_PEER                 0x01
+# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
+# define SSL_VERIFY_CLIENT_ONCE          0x04
+
+/*
+ * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
+ * should not need these
+ */
+# define SSL_ST_READ_HEADER                      0xF0
+# define SSL_ST_READ_BODY                        0xF1
+# define SSL_ST_READ_DONE                        0xF2
+
+# define SSL_NOTHING            1
+# define SSL_WRITING            2
+# define SSL_READING            3
+# define SSL_X509_LOOKUP        4
+# define SSL_ASYNC_PAUSED       5
+# define SSL_ASYNC_NO_JOBS      6
+
+
+# define SSL_ERROR_NONE                  0
+# define SSL_ERROR_SSL                   1
+# define SSL_ERROR_WANT_READ             2
+# define SSL_ERROR_WANT_WRITE            3
+# define SSL_ERROR_WANT_X509_LOOKUP      4
+# define SSL_ERROR_SYSCALL               5/* look at error stack/return value/errno */
+# define SSL_ERROR_ZERO_RETURN           6
+# define SSL_ERROR_WANT_CONNECT          7
+# define SSL_ERROR_WANT_ACCEPT           8
+# define SSL_ERROR_WANT_ASYNC            9
+# define SSL_ERROR_WANT_ASYNC_JOB       10
+
+/* Message flow states */
+typedef enum {
+    /* No handshake in progress */
+    MSG_FLOW_UNINITED,
+    /* A permanent error with this connection */
+    MSG_FLOW_ERROR,
+    /* We are about to renegotiate */
+    MSG_FLOW_RENEGOTIATE,
+    /* We are reading messages */
+    MSG_FLOW_READING,
+    /* We are writing messages */
+    MSG_FLOW_WRITING,
+    /* Handshake has finished */
+    MSG_FLOW_FINISHED
+} MSG_FLOW_STATE;
+
+/* SSL subsystem states */
+typedef enum {
+    TLS_ST_BEFORE,
+    TLS_ST_OK,
+    DTLS_ST_CR_HELLO_VERIFY_REQUEST,
+    TLS_ST_CR_SRVR_HELLO,
+    TLS_ST_CR_CERT,
+    TLS_ST_CR_CERT_STATUS,
+    TLS_ST_CR_KEY_EXCH,
+    TLS_ST_CR_CERT_REQ,
+    TLS_ST_CR_SRVR_DONE,
+    TLS_ST_CR_SESSION_TICKET,
+    TLS_ST_CR_CHANGE,
+    TLS_ST_CR_FINISHED,
+    TLS_ST_CW_CLNT_HELLO,
+    TLS_ST_CW_CERT,
+    TLS_ST_CW_KEY_EXCH,
+    TLS_ST_CW_CERT_VRFY,
+    TLS_ST_CW_CHANGE,
+    TLS_ST_CW_NEXT_PROTO,
+    TLS_ST_CW_FINISHED,
+    TLS_ST_SW_HELLO_REQ,
+    TLS_ST_SR_CLNT_HELLO,
+    DTLS_ST_SW_HELLO_VERIFY_REQUEST,
+    TLS_ST_SW_SRVR_HELLO,
+    TLS_ST_SW_CERT,
+    TLS_ST_SW_KEY_EXCH,
+    TLS_ST_SW_CERT_REQ,
+    TLS_ST_SW_SRVR_DONE,
+    TLS_ST_SR_CERT,
+    TLS_ST_SR_KEY_EXCH,
+    TLS_ST_SR_CERT_VRFY,
+    TLS_ST_SR_NEXT_PROTO,
+    TLS_ST_SR_CHANGE,
+    TLS_ST_SR_FINISHED,
+    TLS_ST_SW_SESSION_TICKET,
+    TLS_ST_SW_CERT_STATUS,
+    TLS_ST_SW_CHANGE,
+    TLS_ST_SW_FINISHED
+} OSSL_HANDSHAKE_STATE;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_dbg.h b/include/openssl/internal/ssl_dbg.h
new file mode 100644
index 00000000..12ba25f9
--- /dev/null
+++ b/include/openssl/internal/ssl_dbg.h
@@ -0,0 +1,191 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_DEBUG_H_
+#define _SSL_DEBUG_H_
+
+#include "platform/ssl_opt.h"
+#include "platform/ssl_port.h"
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#ifdef CONFIG_OPENSSL_DEBUG_LEVEL
+    #define SSL_DEBUG_LEVEL CONFIG_OPENSSL_DEBUG_LEVEL
+#else
+    #define SSL_DEBUG_LEVEL 0
+#endif
+
+#define SSL_DEBUG_ON  (SSL_DEBUG_LEVEL + 1)
+#define SSL_DEBUG_OFF (SSL_DEBUG_LEVEL - 1)
+
+#ifdef CONFIG_OPENSSL_DEBUG
+    #ifndef SSL_DEBUG_LOG
+        #error "SSL_DEBUG_LOG is not defined"
+    #endif
+
+    #ifndef SSL_DEBUG_FL
+        #define SSL_DEBUG_FL "\n"
+    #endif
+
+    #define SSL_SHOW_LOCATION()                         \
+        SSL_DEBUG_LOG("SSL assert : %s %d\n",           \
+            __FILE__, __LINE__)
+
+    #define SSL_DEBUG(level, fmt, ...)                  \
+    {                                                   \
+        if (level > SSL_DEBUG_LEVEL) {                  \
+            SSL_DEBUG_LOG(fmt SSL_DEBUG_FL, ##__VA_ARGS__); \
+        }                                               \
+    }
+#else /* CONFIG_OPENSSL_DEBUG */
+    #define SSL_SHOW_LOCATION()
+
+    #define SSL_DEBUG(level, fmt, ...)
+#endif /* CONFIG_OPENSSL_DEBUG */
+
+/**
+ * OpenSSL assert function
+ *
+ * if select "CONFIG_OPENSSL_ASSERT_DEBUG", SSL_ASSERT* will show error file name and line
+ * if select "CONFIG_OPENSSL_ASSERT_EXIT", SSL_ASSERT* will just return error code.
+ * if select "CONFIG_OPENSSL_ASSERT_DEBUG_EXIT" SSL_ASSERT* will show error file name and line,
+ * then return error code.
+ * if select "CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK", SSL_ASSERT* will show error file name and line,
+ * then block here with "while (1)"
+ *
+ * SSL_ASSERT1 may will return "-1", so function's return argument is integer.
+ * SSL_ASSERT2 may will return "NULL", so function's return argument is a point.
+ * SSL_ASSERT2 may will return nothing, so function's return argument is "void".
+ */
+#if defined(CONFIG_OPENSSL_ASSERT_DEBUG)
+    #define SSL_ASSERT1(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+        }                                               \
+    }
+
+    #define SSL_ASSERT2(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+        }                                               \
+    }
+
+    #define SSL_ASSERT3(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+        }                                               \
+    }
+#elif defined(CONFIG_OPENSSL_ASSERT_EXIT)
+    #define SSL_ASSERT1(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            return -1;                                  \
+        }                                               \
+    }
+
+    #define SSL_ASSERT2(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            return NULL;                                \
+        }                                               \
+    }
+
+    #define SSL_ASSERT3(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            return ;                                    \
+        }                                               \
+    }
+#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_EXIT)
+    #define SSL_ASSERT1(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            return -1;                                  \
+        }                                               \
+    }
+
+    #define SSL_ASSERT2(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            return NULL;                                \
+        }                                               \
+    }
+
+    #define SSL_ASSERT3(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            return ;                                    \
+        }                                               \
+    }
+#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK)
+    #define SSL_ASSERT1(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            while (1);                                  \
+        }                                               \
+    }
+
+    #define SSL_ASSERT2(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            while (1);                                  \
+        }                                               \
+    }
+
+    #define SSL_ASSERT3(s)                              \
+    {                                                   \
+        if (!(s)) {                                     \
+            SSL_SHOW_LOCATION();                        \
+            while (1);                                  \
+        }                                               \
+    }
+#else
+    #define SSL_ASSERT1(s)
+    #define SSL_ASSERT2(s)
+    #define SSL_ASSERT3(s)
+#endif
+
+#define SSL_PLATFORM_DEBUG_LEVEL SSL_DEBUG_OFF
+#define SSL_PLATFORM_ERROR_LEVEL SSL_DEBUG_ON
+
+#define SSL_CERT_DEBUG_LEVEL     SSL_DEBUG_OFF
+#define SSL_CERT_ERROR_LEVEL     SSL_DEBUG_ON
+
+#define SSL_PKEY_DEBUG_LEVEL     SSL_DEBUG_OFF
+#define SSL_PKEY_ERROR_LEVEL     SSL_DEBUG_ON
+
+#define SSL_X509_DEBUG_LEVEL     SSL_DEBUG_OFF
+#define SSL_X509_ERROR_LEVEL     SSL_DEBUG_ON
+
+#define SSL_LIB_DEBUG_LEVEL      SSL_DEBUG_OFF
+#define SSL_LIB_ERROR_LEVEL      SSL_DEBUG_ON
+
+#define SSL_STACK_DEBUG_LEVEL    SSL_DEBUG_OFF
+#define SSL_STACK_ERROR_LEVEL    SSL_DEBUG_ON
+
+#ifdef __cplusplus
+ }
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_lib.h b/include/openssl/internal/ssl_lib.h
new file mode 100755
index 00000000..bf7de22f
--- /dev/null
+++ b/include/openssl/internal/ssl_lib.h
@@ -0,0 +1,28 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_LIB_H_
+#define _SSL_LIB_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_types.h"
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_methods.h b/include/openssl/internal/ssl_methods.h
new file mode 100755
index 00000000..cd2f8c05
--- /dev/null
+++ b/include/openssl/internal/ssl_methods.h
@@ -0,0 +1,121 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_METHODS_H_
+#define _SSL_METHODS_H_
+
+#include "ssl_types.h"
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/**
+ * TLS method function implement
+ */
+#define IMPLEMENT_TLS_METHOD_FUNC(func_name, \
+                    new, free, \
+                    handshake, shutdown, clear, \
+                    read, send, pending, \
+                    set_fd, get_fd, \
+                    set_bufflen, \
+                    get_verify_result, \
+                    get_state) \
+        static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \
+                new, \
+                free, \
+                handshake, \
+                shutdown, \
+                clear, \
+                read, \
+                send, \
+                pending, \
+                set_fd, \
+                get_fd, \
+                set_bufflen, \
+                get_verify_result, \
+                get_state \
+        };
+
+#define IMPLEMENT_TLS_METHOD(ver, mode, fun, func_name) \
+    const SSL_METHOD* func_name(void) { \
+        static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
+                ver, \
+                mode, \
+                &(fun), \
+        }; \
+        return &func_name##_data; \
+    }
+
+#define IMPLEMENT_SSL_METHOD(ver, mode, fun, func_name) \
+    const SSL_METHOD* func_name(void) { \
+        static const SSL_METHOD func_name##_data LOCAL_ATRR = { \
+                ver, \
+                mode, \
+                &(fun), \
+        }; \
+        return &func_name##_data; \
+    }
+
+#define IMPLEMENT_X509_METHOD(func_name, \
+                new, \
+                free, \
+                load, \
+                show_info) \
+    const X509_METHOD* func_name(void) { \
+        static const X509_METHOD func_name##_data LOCAL_ATRR = { \
+                new, \
+                free, \
+                load, \
+                show_info \
+        }; \
+        return &func_name##_data; \
+    }
+
+#define IMPLEMENT_PKEY_METHOD(func_name, \
+                new, \
+                free, \
+                load) \
+    const PKEY_METHOD* func_name(void) { \
+        static const PKEY_METHOD func_name##_data LOCAL_ATRR = { \
+                new, \
+                free, \
+                load \
+        }; \
+        return &func_name##_data; \
+    }
+
+/**
+ * @brief get X509 object method
+ *
+ * @param none
+ *
+ * @return X509 object method point
+ */
+const X509_METHOD* X509_method(void);
+
+/**
+ * @brief get private key object method
+ *
+ * @param none
+ *
+ * @return private key object method point
+ */
+const PKEY_METHOD* EVP_PKEY_method(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_pkey.h b/include/openssl/internal/ssl_pkey.h
new file mode 100755
index 00000000..e790fcc9
--- /dev/null
+++ b/include/openssl/internal/ssl_pkey.h
@@ -0,0 +1,86 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_PKEY_H_
+#define _SSL_PKEY_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_types.h"
+
+/**
+ * @brief create a private key object according to input private key
+ *
+ * @param ipk - input private key point
+ *
+ * @return new private key object point
+ */
+EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk);
+
+/**
+ * @brief create a private key object
+ *
+ * @param none
+ *
+ * @return private key object point
+ */
+EVP_PKEY* EVP_PKEY_new(void);
+
+/**
+ * @brief load a character key context into system context. If '*a' is pointed to the
+ *        private key, then load key into it. Or create a new private key object
+ *
+ * @param type   - private key type
+ * @param a      - a point pointed to a private key point
+ * @param pp     - a point pointed to the key context memory point
+ * @param length - key bytes
+ *
+ * @return private key object point
+ */
+EVP_PKEY* d2i_PrivateKey(int type,
+                         EVP_PKEY **a,
+                         const unsigned char **pp,
+                         long length);
+
+/**
+ * @brief free a private key object
+ *
+ * @param pkey - private key object point
+ *
+ * @return none
+ */
+void EVP_PKEY_free(EVP_PKEY *x);
+
+/**
+ * @brief load private key into the SSL
+ *
+ * @param type - private key type
+ * @param ssl  - SSL point
+ * @param len  - data bytes
+ * @param d    - data point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK 
+ */
+ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_stack.h b/include/openssl/internal/ssl_stack.h
new file mode 100755
index 00000000..7a7051a0
--- /dev/null
+++ b/include/openssl/internal/ssl_stack.h
@@ -0,0 +1,52 @@
+#ifndef _SSL_STACK_H_
+#define _SSL_STACK_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_types.h"
+
+#define STACK_OF(type)  struct stack_st_##type
+
+#define SKM_DEFINE_STACK_OF(t1, t2, t3) \
+    STACK_OF(t1); \
+    static ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
+    { \
+        return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \
+    } \
+
+#define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
+
+/**
+ * @brief create a openssl stack object
+ *
+ * @param c - stack function
+ *
+ * @return openssl stack object point
+ */
+OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c);
+
+/**
+ * @brief create a NULL function openssl stack object
+ *
+ * @param none
+ *
+ * @return openssl stack object point
+ */
+OPENSSL_STACK *OPENSSL_sk_new_null(void);
+
+/**
+ * @brief free openssl stack object
+ *
+ * @param openssl stack object point
+ *
+ * @return none
+ */
+void OPENSSL_sk_free(OPENSSL_STACK *stack);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_types.h b/include/openssl/internal/ssl_types.h
new file mode 100755
index 00000000..5aaee941
--- /dev/null
+++ b/include/openssl/internal/ssl_types.h
@@ -0,0 +1,288 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_TYPES_H_
+#define _SSL_TYPES_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_code.h"
+
+typedef void SSL_CIPHER;
+
+typedef void X509_STORE_CTX;
+typedef void X509_STORE;
+
+typedef void RSA;
+
+typedef void STACK;
+typedef void BIO;
+
+#define ossl_inline inline
+
+#define SSL_METHOD_CALL(f, s, ...)        s->method->func->ssl_##f(s, ##__VA_ARGS__)
+#define X509_METHOD_CALL(f, x, ...)       x->method->x509_##f(x, ##__VA_ARGS__)
+#define EVP_PKEY_METHOD_CALL(f, k, ...)   k->method->pkey_##f(k, ##__VA_ARGS__)
+
+typedef int (*OPENSSL_sk_compfunc)(const void *, const void *);
+
+struct stack_st;
+typedef struct stack_st OPENSSL_STACK;
+
+struct ssl_method_st;
+typedef struct ssl_method_st SSL_METHOD;
+
+struct ssl_method_func_st;
+typedef struct ssl_method_func_st SSL_METHOD_FUNC;
+
+struct record_layer_st;
+typedef struct record_layer_st RECORD_LAYER;
+
+struct ossl_statem_st;
+typedef struct ossl_statem_st OSSL_STATEM;
+
+struct ssl_session_st;
+typedef struct ssl_session_st SSL_SESSION;
+
+struct ssl_ctx_st;
+typedef struct ssl_ctx_st SSL_CTX;
+
+struct ssl_st;
+typedef struct ssl_st SSL;
+
+struct cert_st;
+typedef struct cert_st CERT;
+
+struct x509_st;
+typedef struct x509_st X509;
+
+struct X509_VERIFY_PARAM_st;
+typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
+
+struct evp_pkey_st;
+typedef struct evp_pkey_st EVP_PKEY;
+
+struct x509_method_st;
+typedef struct x509_method_st X509_METHOD;
+
+struct pkey_method_st;
+typedef struct pkey_method_st PKEY_METHOD;
+
+struct stack_st {
+
+    char **data;
+
+    int num_alloc;
+
+    OPENSSL_sk_compfunc c;
+};
+
+struct evp_pkey_st {
+
+    void *pkey_pm;
+
+    const PKEY_METHOD *method;
+};
+
+struct x509_st {
+
+    /* X509 certification platform private point */
+    void *x509_pm;
+
+    const X509_METHOD *method;
+};
+
+struct cert_st {
+
+    int sec_level;
+
+    X509 *x509;
+
+    EVP_PKEY *pkey;
+
+};
+
+struct ossl_statem_st {
+
+    MSG_FLOW_STATE state;
+
+    int hand_state;
+};
+
+struct record_layer_st {
+
+    int rstate;
+
+    int read_ahead;
+};
+
+struct ssl_session_st {
+
+    long timeout;
+
+    long time;
+
+    X509 *peer;
+};
+
+struct X509_VERIFY_PARAM_st {
+
+    int depth;
+
+};
+
+struct ssl_ctx_st
+{
+    int version;
+
+    int references;
+
+    unsigned long options;
+
+    #if 0
+        struct alpn_protocols alpn_protocol;
+    #endif
+
+    const SSL_METHOD *method;
+
+    CERT *cert;
+
+    X509 *client_CA;
+
+    int verify_mode;
+
+    int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);
+
+    long session_timeout;
+
+    int read_ahead;
+
+    int read_buffer_len;
+
+    X509_VERIFY_PARAM param;
+};
+
+struct ssl_st
+{
+    /* protocol version(one of SSL3.0, TLS1.0, etc.) */
+    int version;
+
+    unsigned long options;
+
+    /* shut things down(0x01 : sent, 0x02 : received) */
+    int shutdown;
+
+    CERT *cert;
+
+    X509 *client_CA;
+
+    SSL_CTX  *ctx;
+
+    const SSL_METHOD *method;
+
+    RECORD_LAYER rlayer;
+
+    /* where we are */
+    OSSL_STATEM statem;
+
+    SSL_SESSION *session;
+
+    int verify_mode;
+
+    int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
+
+    int rwstate;
+
+    long verify_result;
+
+    X509_VERIFY_PARAM param;
+
+    int err;
+
+    void (*info_callback) (const SSL *ssl, int type, int val);
+
+    /* SSL low-level system arch point */
+    void *ssl_pm;
+};
+
+struct ssl_method_st {
+    /* protocol version(one of SSL3.0, TLS1.0, etc.) */
+    int version;
+
+    /* SSL mode(client(0) , server(1), not known(-1)) */
+    int endpoint;
+
+    const SSL_METHOD_FUNC *func;
+};
+
+struct ssl_method_func_st {
+
+    int (*ssl_new)(SSL *ssl);
+
+    void (*ssl_free)(SSL *ssl);
+
+    int (*ssl_handshake)(SSL *ssl);
+
+    int (*ssl_shutdown)(SSL *ssl);
+
+    int (*ssl_clear)(SSL *ssl);
+
+    int (*ssl_read)(SSL *ssl, void *buffer, int len);
+
+    int (*ssl_send)(SSL *ssl, const void *buffer, int len);
+
+    int (*ssl_pending)(const SSL *ssl);
+
+    void (*ssl_set_fd)(SSL *ssl, int fd, int mode);
+
+    int (*ssl_get_fd)(const SSL *ssl, int mode);
+
+    void (*ssl_set_bufflen)(SSL *ssl, int len);
+
+    long (*ssl_get_verify_result)(const SSL *ssl);
+
+    OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);
+};
+
+struct x509_method_st {
+
+    int (*x509_new)(X509 *x, X509 *m_x);
+
+    void (*x509_free)(X509 *x);
+
+    int (*x509_load)(X509 *x, const unsigned char *buf, int len);
+
+    int (*x509_show_info)(X509 *x);
+};
+
+struct pkey_method_st {
+
+    int (*pkey_new)(EVP_PKEY *pkey, EVP_PKEY *m_pkey);
+
+    void (*pkey_free)(EVP_PKEY *pkey);
+
+    int (*pkey_load)(EVP_PKEY *pkey, const unsigned char *buf, int len);
+};
+
+typedef int (*next_proto_cb)(SSL *ssl, unsigned char **out,
+                             unsigned char *outlen, const unsigned char *in,
+                             unsigned int inlen, void *arg);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/ssl_x509.h b/include/openssl/internal/ssl_x509.h
new file mode 100755
index 00000000..840fbf1e
--- /dev/null
+++ b/include/openssl/internal/ssl_x509.h
@@ -0,0 +1,108 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_X509_H_
+#define _SSL_X509_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "ssl_types.h"
+#include "ssl_stack.h"
+
+DEFINE_STACK_OF(X509_NAME)
+
+/**
+ * @brief create a X509 certification object according to input X509 certification
+ *
+ * @param ix - input X509 certification point
+ *
+ * @return new X509 certification object point
+ */
+X509* __X509_new(X509 *ix);
+
+/**
+ * @brief create a X509 certification object
+ *
+ * @param none
+ *
+ * @return X509 certification object point
+ */
+X509* X509_new(void);
+
+/**
+ * @brief load a character certification context into system context. If '*cert' is pointed to the
+ *        certification, then load certification into it. Or create a new X509 certification object
+ *
+ * @param cert   - a point pointed to X509 certification
+ * @param buffer - a point pointed to the certification context memory point
+ * @param length - certification bytes
+ *
+ * @return X509 certification object point
+ */
+X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len);
+
+/**
+ * @brief free a X509 certification object
+ *
+ * @param x - X509 certification object point
+ *
+ * @return none
+ */
+void X509_free(X509 *x);
+
+/**
+ * @brief set SSL context client CA certification
+ *
+ * @param ctx - SSL context point
+ * @param x   - X509 certification point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK
+ */
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
+
+/**
+ * @brief add CA client certification into the SSL
+ *
+ * @param ssl - SSL point
+ * @param x   - X509 certification point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK
+ */
+int SSL_add_client_CA(SSL *ssl, X509 *x);
+
+/**
+ * @brief load certification into the SSL
+ *
+ * @param ssl - SSL point
+ * @param len - data bytes
+ * @param d   - data point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK
+ *
+ */
+int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/tls1.h b/include/openssl/internal/tls1.h
new file mode 100644
index 00000000..a9da53e0
--- /dev/null
+++ b/include/openssl/internal/tls1.h
@@ -0,0 +1,55 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _TLS1_H_
+#define _TLS1_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+# define TLS1_AD_DECRYPTION_FAILED       21
+# define TLS1_AD_RECORD_OVERFLOW         22
+# define TLS1_AD_UNKNOWN_CA              48/* fatal */
+# define TLS1_AD_ACCESS_DENIED           49/* fatal */
+# define TLS1_AD_DECODE_ERROR            50/* fatal */
+# define TLS1_AD_DECRYPT_ERROR           51
+# define TLS1_AD_EXPORT_RESTRICTION      60/* fatal */
+# define TLS1_AD_PROTOCOL_VERSION        70/* fatal */
+# define TLS1_AD_INSUFFICIENT_SECURITY   71/* fatal */
+# define TLS1_AD_INTERNAL_ERROR          80/* fatal */
+# define TLS1_AD_INAPPROPRIATE_FALLBACK  86/* fatal */
+# define TLS1_AD_USER_CANCELLED          90
+# define TLS1_AD_NO_RENEGOTIATION        100
+/* codes 110-114 are from RFC3546 */
+# define TLS1_AD_UNSUPPORTED_EXTENSION   110
+# define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111
+# define TLS1_AD_UNRECOGNIZED_NAME       112
+# define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
+# define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
+# define TLS1_AD_UNKNOWN_PSK_IDENTITY    115/* fatal */
+# define TLS1_AD_NO_APPLICATION_PROTOCOL 120 /* fatal */
+
+/* Special value for method supporting multiple versions */
+#define TLS_ANY_VERSION                 0x10000
+
+#define TLS1_VERSION                    0x0301
+#define TLS1_1_VERSION                  0x0302
+#define TLS1_2_VERSION                  0x0303
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/internal/x509_vfy.h b/include/openssl/internal/x509_vfy.h
new file mode 100644
index 00000000..d5b0d1a2
--- /dev/null
+++ b/include/openssl/internal/x509_vfy.h
@@ -0,0 +1,111 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _X509_VFY_H_
+#define _X509_VFY_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#define         X509_V_OK                                       0
+#define         X509_V_ERR_UNSPECIFIED                          1
+#define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
+#define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
+#define         X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
+#define         X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE      5
+#define         X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
+#define         X509_V_ERR_CERT_SIGNATURE_FAILURE               7
+#define         X509_V_ERR_CRL_SIGNATURE_FAILURE                8
+#define         X509_V_ERR_CERT_NOT_YET_VALID                   9
+#define         X509_V_ERR_CERT_HAS_EXPIRED                     10
+#define         X509_V_ERR_CRL_NOT_YET_VALID                    11
+#define         X509_V_ERR_CRL_HAS_EXPIRED                      12
+#define         X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD       13
+#define         X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD        14
+#define         X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD       15
+#define         X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD       16
+#define         X509_V_ERR_OUT_OF_MEM                           17
+#define         X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT          18
+#define         X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN            19
+#define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY    20
+#define         X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE      21
+#define         X509_V_ERR_CERT_CHAIN_TOO_LONG                  22
+#define         X509_V_ERR_CERT_REVOKED                         23
+#define         X509_V_ERR_INVALID_CA                           24
+#define         X509_V_ERR_PATH_LENGTH_EXCEEDED                 25
+#define         X509_V_ERR_INVALID_PURPOSE                      26
+#define         X509_V_ERR_CERT_UNTRUSTED                       27
+#define         X509_V_ERR_CERT_REJECTED                        28
+/* These are 'informational' when looking for issuer cert */
+#define         X509_V_ERR_SUBJECT_ISSUER_MISMATCH              29
+#define         X509_V_ERR_AKID_SKID_MISMATCH                   30
+#define         X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
+#define         X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
+#define         X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
+#define         X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
+#define         X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
+#define         X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
+#define         X509_V_ERR_INVALID_NON_CA                       37
+#define         X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
+#define         X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
+#define         X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
+#define         X509_V_ERR_INVALID_EXTENSION                    41
+#define         X509_V_ERR_INVALID_POLICY_EXTENSION             42
+#define         X509_V_ERR_NO_EXPLICIT_POLICY                   43
+#define         X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
+#define         X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45
+#define         X509_V_ERR_UNNESTED_RESOURCE                    46
+#define         X509_V_ERR_PERMITTED_VIOLATION                  47
+#define         X509_V_ERR_EXCLUDED_VIOLATION                   48
+#define         X509_V_ERR_SUBTREE_MINMAX                       49
+/* The application is not happy */
+#define         X509_V_ERR_APPLICATION_VERIFICATION             50
+#define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
+#define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
+#define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
+#define         X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
+/* Another issuer check debug option */
+#define         X509_V_ERR_PATH_LOOP                            55
+/* Suite B mode algorithm violation */
+#define         X509_V_ERR_SUITE_B_INVALID_VERSION              56
+#define         X509_V_ERR_SUITE_B_INVALID_ALGORITHM            57
+#define         X509_V_ERR_SUITE_B_INVALID_CURVE                58
+#define         X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM  59
+#define         X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED              60
+#define         X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
+/* Host, email and IP check errors */
+#define         X509_V_ERR_HOSTNAME_MISMATCH                    62
+#define         X509_V_ERR_EMAIL_MISMATCH                       63
+#define         X509_V_ERR_IP_ADDRESS_MISMATCH                  64
+/* DANE TLSA errors */
+#define         X509_V_ERR_DANE_NO_MATCH                        65
+/* security level errors */
+#define         X509_V_ERR_EE_KEY_TOO_SMALL                     66
+#define         X509_V_ERR_CA_KEY_TOO_SMALL                     67
+#define         X509_V_ERR_CA_MD_TOO_WEAK                       68
+/* Caller error */
+#define         X509_V_ERR_INVALID_CALL                         69
+/* Issuer lookup error */
+#define         X509_V_ERR_STORE_LOOKUP                         70
+/* Certificate transparency */
+#define         X509_V_ERR_NO_VALID_SCTS                        71
+
+#define         X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION         72
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/mbedtls_ssl.h b/include/openssl/mbedtls_ssl.h
deleted file mode 100644
index e0f40082..00000000
--- a/include/openssl/mbedtls_ssl.h
+++ /dev/null
@@ -1,50 +0,0 @@
-#ifndef _MBEDTLS_SSL_H_
-#define _MBEDTLS_SSL_H_
-
-#include "ssl_ctx.h"
-
-/*
-{
-*/
-#define SSL_MAX_FRAG_LEN_NONE 0
-#define SSL_MAX_FRAG_LEN_512  512
-#define SSL_MAX_FRAG_LEN_1024 1024
-#define SSL_MAX_FRAG_LEN_2048 2048
-#define SSL_MAX_FRAG_LEN_4096 4096
-#define SSL_MAX_FRAG_LEN_8192 8192
-
-#define SSL_DISPLAY_CERTS     (1 << 0)
-#define SSL_NO_DEFAULT_KEY    (1 << 1)
-
-#define SSL_SERVER_VERIFY_LATER (1 << 2)
-#define SSL_CLIENT_AUTHENTICATION (1 << 3)
-
-typedef void SSL;
-
-enum {
-	SSL_OK = 0
-};
-
-/*
-}
-*/
-
-void ssl_set_frag(SSL *ssl, unsigned int frag);
-
-SSL* ssl_new(struct ssl_ctx *ssl_ctx);
-
-int ssl_connect(SSL *ssl);
-
-int ssl_get_verify_result(SSL *ssl);
-
-int ssl_set_fd(SSL *ssl, int);
-
-int ssl_free(SSL *ssl);
-
-int ssl_accept(SSL *ssl);
-
-int ssl_read(SSL *ssl, void *buffer, int max_len);
-
-int ssl_write(SSL *ssl, const void *buffer, int max_len);
-
-#endif
diff --git a/include/openssl/openssl/ssl.h b/include/openssl/openssl/ssl.h
new file mode 100755
index 00000000..39d4bf73
--- /dev/null
+++ b/include/openssl/openssl/ssl.h
@@ -0,0 +1,1755 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_H_
+#define _SSL_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "internal/ssl_x509.h"
+#include "internal/ssl_pkey.h"
+
+/*
+{
+*/
+
+/**
+ * @brief create a SSL context
+ *
+ * @param method - the SSL context method point
+ *
+ * @return the context point
+ */
+SSL_CTX* SSL_CTX_new(const SSL_METHOD *method);
+
+/**
+ * @brief free a SSL context
+ *
+ * @param method - the SSL context point
+ *
+ * @return none
+ */
+void SSL_CTX_free(SSL_CTX *ctx);
+
+/**
+ * @brief create a SSL
+ *
+ * @param ctx - the SSL context point
+ *
+ * @return the SSL point
+ */
+SSL* SSL_new(SSL_CTX *ctx);
+
+/**
+ * @brief free the SSL
+ *
+ * @param ssl - the SSL point
+ *
+ * @return none
+ */
+void SSL_free(SSL *ssl);
+
+/**
+ * @brief connect to the remote SSL server
+ *
+ * @param ssl - the SSL point
+ *
+ * @return result
+ *     1 : OK
+ *    -1 : failed
+ */
+int SSL_connect(SSL *ssl);
+
+/**
+ * @brief accept the remote connection
+ *
+ * @param ssl - the SSL point
+ *
+ * @return result
+ *     1 : OK
+ *    -1 : failed
+ */
+int SSL_accept(SSL *ssl);
+
+/**
+ * @brief read data from to remote
+ *
+ * @param ssl    - the SSL point which has been connected
+ * @param buffer - the received data buffer point
+ * @param len    - the received data length
+ *
+ * @return result
+ *     > 0 : OK, and return received data bytes
+ *     = 0 : connection is closed
+ *     < 0 : an error catch
+ */
+int SSL_read(SSL *ssl, void *buffer, int len);
+
+/**
+ * @brief send the data to remote
+ *
+ * @param ssl    - the SSL point which has been connected
+ * @param buffer - the send data buffer point
+ * @param len    - the send data length
+ *
+ * @return result
+ *     > 0 : OK, and return sent data bytes
+ *     = 0 : connection is closed
+ *     < 0 : an error catch
+ */
+int SSL_write(SSL *ssl, const void *buffer, int len);
+
+/**
+ * @brief get the verifying result of the SSL certification
+ *
+ * @param ssl - the SSL point
+ *
+ * @return the result of verifying
+ */
+long SSL_get_verify_result(const SSL *ssl);
+
+/**
+ * @brief shutdown the connection
+ *
+ * @param ssl - the SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : shutdown is not finished
+ *    -1 : an error catch
+ */
+int SSL_shutdown(SSL *ssl);
+
+/**
+ * @brief bind the socket file description into the SSL
+ *
+ * @param ssl - the SSL point
+ * @param fd  - socket handle
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_set_fd(SSL *ssl, int fd);
+
+/**
+ * @brief These functions load the private key into the SSL_CTX or SSL object
+ *
+ * @param ctx  - the SSL context point
+ * @param pkey - private key object point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
+
+/**
+ * @brief These functions load the certification into the SSL_CTX or SSL object
+ *
+ * @param ctx  - the SSL context point
+ * @param pkey - certification object point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
+
+/**
+ * @brief create the target SSL context client method
+ *
+ * @param none
+ *
+ * @return the SSLV2.3 version SSL context client method
+ */
+const SSL_METHOD* SSLv23_client_method(void);
+
+/**
+ * @brief create the target SSL context client method
+ *
+ * @param none
+ *
+ * @return the TLSV1.0 version SSL context client method
+ */
+const SSL_METHOD* TLSv1_client_method(void);
+
+/**
+ * @brief create the target SSL context client method
+ *
+ * @param none
+ *
+ * @return the SSLV1.0 version SSL context client method
+ */
+const SSL_METHOD* SSLv3_client_method(void);
+
+/**
+ * @brief create the target SSL context client method
+ *
+ * @param none
+ *
+ * @return the TLSV1.1 version SSL context client method
+ */
+const SSL_METHOD* TLSv1_1_client_method(void);
+
+/**
+ * @brief create the target SSL context client method
+ *
+ * @param none
+ *
+ * @return the TLSV1.2 version SSL context client method
+ */
+const SSL_METHOD* TLSv1_2_client_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the TLS any version SSL context client method
+ */
+const SSL_METHOD* TLS_client_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the SSLV2.3 version SSL context server method
+ */
+const SSL_METHOD* SSLv23_server_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the TLSV1.1 version SSL context server method
+ */
+const SSL_METHOD* TLSv1_1_server_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the TLSV1.2 version SSL context server method
+ */
+const SSL_METHOD* TLSv1_2_server_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the TLSV1.0 version SSL context server method
+ */
+const SSL_METHOD* TLSv1_server_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the SSLV3.0 version SSL context server method
+ */
+const SSL_METHOD* SSLv3_server_method(void);
+
+/**
+ * @brief create the target SSL context server method
+ *
+ * @param none
+ *
+ * @return the TLS any version SSL context server method
+ */
+const SSL_METHOD* TLS_server_method(void);
+
+
+/**
+ * @brief set the SSL context ALPN select callback function
+ *
+ * @param ctx - SSL context point
+ * @param cb  - ALPN select callback function
+ * @param arg - ALPN select callback function entry private data point
+ *
+ * @return none
+ */
+void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
+                                int (*cb) (SSL *ssl,
+                                           const unsigned char **out,
+                                           unsigned char *outlen,
+                                           const unsigned char *in,
+                                           unsigned int inlen,
+                                           void *arg),
+                                void *arg);
+
+
+/**
+ * @brief set the SSL context ALPN select protocol
+ *
+ * @param ctx        - SSL context point
+ * @param protos     - ALPN protocol name
+ * @param protos_len - ALPN protocol name bytes
+ *
+ * @return result
+ *     0 : OK
+ *     1 : failed
+ */
+int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len);
+
+/**
+ * @brief set the SSL context next ALPN select callback function
+ *
+ * @param ctx - SSL context point
+ * @param cb  - ALPN select callback function
+ * @param arg - ALPN select callback function entry private data point
+ *
+ * @return none
+ */
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
+                                      int (*cb) (SSL *ssl,
+                                                 unsigned char **out,
+                                                 unsigned char *outlen,
+                                                 const unsigned char *in,
+                                                 unsigned int inlen,
+                                                 void *arg),
+                                      void *arg);
+
+/**
+ * @brief get SSL error code
+ *
+ * @param ssl       - SSL point
+ * @param ret_code  - SSL return code
+ *
+ * @return SSL error number
+ */
+int SSL_get_error(const SSL *ssl, int ret_code);
+
+/**
+ * @brief clear the SSL error code
+ *
+ * @param none
+ *
+ * @return none
+ */
+void ERR_clear_error(void);
+
+/**
+ * @brief get the current SSL error code
+ *
+ * @param none
+ *
+ * @return current SSL error number
+ */
+int ERR_get_error(void);
+
+/**
+ * @brief register the SSL error strings
+ *
+ * @param none
+ *
+ * @return none
+ */
+void ERR_load_SSL_strings(void);
+
+/**
+ * @brief initialize the SSL library
+ *
+ * @param none
+ *
+ * @return none
+ */
+void SSL_library_init(void);
+
+/**
+ * @brief generates a human-readable string representing the error code e
+ *        and store it into the "ret" point memory
+ *
+ * @param e   - error code
+ * @param ret - memory point to store the string
+ *
+ * @return the result string point
+ */
+char *ERR_error_string(unsigned long e, char *ret);
+
+/**
+ * @brief add the SSL context option
+ *
+ * @param ctx - SSL context point
+ * @param opt - new SSL context option
+ *
+ * @return the SSL context option
+ */
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt);
+
+/**
+ * @brief add the SSL context mode
+ *
+ * @param ctx - SSL context point
+ * @param mod - new SSL context mod
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_mode(SSL_CTX *ctx, int mod);
+
+/*
+}
+*/
+
+/**
+ * @brief perform the SSL handshake
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ *    -1 : a error catch
+ */
+int SSL_do_handshake(SSL *ssl);
+
+/**
+ * @brief get the SSL current version
+ *
+ * @param ssl - SSL point
+ *
+ * @return the version string
+ */
+const char *SSL_get_version(const SSL *ssl);
+
+/**
+ * @brief set  the SSL context version
+ *
+ * @param ctx  - SSL context point
+ * @param meth - SSL method point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
+
+/**
+ * @brief get the bytes numbers which are to be read
+ *
+ * @param ssl  - SSL point
+ *
+ * @return bytes number
+ */
+int SSL_pending(const SSL *ssl);
+
+/**
+ * @brief check if SSL want nothing
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     0 : false
+ *     1 : true
+ */
+int SSL_want_nothing(const SSL *ssl);
+
+/**
+ * @brief check if SSL want to read
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     0 : false
+ *     1 : true
+ */
+int SSL_want_read(const SSL *ssl);
+
+/**
+ * @brief check if SSL want to write
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     0 : false
+ *     1 : true
+ */
+int SSL_want_write(const SSL *ssl);
+
+/**
+ * @brief get the SSL context current method
+ *
+ * @param ctx - SSL context point
+ *
+ * @return the SSL context current method
+ */
+const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx);
+
+/**
+ * @brief get the SSL current method
+ *
+ * @param ssl - SSL point
+ *
+ * @return the SSL current method
+ */
+const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
+
+/**
+ * @brief set the SSL method
+ *
+ * @param ssl  - SSL point
+ * @param meth - SSL method point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method);
+
+/**
+ * @brief add CA client certification into the SSL
+ *
+ * @param ssl - SSL point
+ * @param x   - CA certification point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_add_client_CA(SSL *ssl, X509 *x);
+
+/**
+ * @brief add CA client certification into the SSL context
+ *
+ * @param ctx - SSL context point
+ * @param x   - CA certification point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
+
+/**
+ * @brief set the SSL CA certification list
+ *
+ * @param ssl       - SSL point
+ * @param name_list - CA certification list
+ *
+ * @return none
+ */
+void SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list);
+
+/**
+ * @brief set the SSL context CA certification list
+ *
+ * @param ctx       - SSL context point
+ * @param name_list - CA certification list
+ *
+ * @return none
+ */
+void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
+
+/**
+ * @briefget the SSL CA certification list
+ *
+ * @param ssl - SSL point
+ *
+ * @return CA certification list
+ */
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);
+
+/**
+ * @brief get the SSL context CA certification list
+ *
+ * @param ctx - SSL context point
+ *
+ * @return CA certification list
+ */
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
+
+/**
+ * @brief get the SSL certification point
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL certification point
+ */
+X509 *SSL_get_certificate(const SSL *ssl);
+
+/**
+ * @brief get the SSL private key point
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL private key point
+ */
+EVP_PKEY *SSL_get_privatekey(const SSL *ssl);
+
+/**
+ * @brief set the SSL information callback function
+ *
+ * @param ssl - SSL point
+ * @param cb  - information callback function
+ *
+ * @return none
+ */
+void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val));
+
+/**
+ * @brief get the SSL state
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL state
+ */
+OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
+
+/**
+ * @brief set the SSL context read buffer length
+ *
+ * @param ctx - SSL context point
+ * @param len - read buffer length
+ *
+ * @return none
+ */
+void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
+
+/**
+ * @brief set the SSL read buffer length
+ *
+ * @param ssl - SSL point
+ * @param len - read buffer length
+ *
+ * @return none
+ */
+void SSL_set_default_read_buffer_len(SSL *ssl, size_t len);
+
+/**
+ * @brief set the SSL security level
+ *
+ * @param ssl   - SSL point
+ * @param level - security level
+ *
+ * @return none
+ */
+void SSL_set_security_level(SSL *ssl, int level);
+
+/**
+ * @brief get the SSL security level
+ *
+ * @param ssl - SSL point
+ *
+ * @return security level
+ */
+int SSL_get_security_level(const SSL *ssl);
+
+/**
+ * @brief get the SSL verifying mode of the SSL context
+ *
+ * @param ctx - SSL context point
+ *
+ * @return verifying mode
+ */
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
+
+/**
+ * @brief get the SSL verifying depth of the SSL context
+ *
+ * @param ctx - SSL context point
+ *
+ * @return verifying depth
+ */
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
+
+/**
+ * @brief set the SSL context verifying of the SSL context
+ *
+ * @param ctx             - SSL context point
+ * @param mode            - verifying mode
+ * @param verify_callback - verifying callback function
+ *
+ * @return none
+ */
+void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *));
+
+/**
+ * @brief set the SSL verifying of the SSL context
+ *
+ * @param ctx             - SSL point
+ * @param mode            - verifying mode
+ * @param verify_callback - verifying callback function
+ *
+ * @return none
+ */
+void SSL_set_verify(SSL *s, int mode, int (*verify_callback)(int, X509_STORE_CTX *));
+
+/**
+ * @brief set the SSL verify depth of the SSL context
+ *
+ * @param ctx   - SSL context point
+ * @param depth - verifying depth
+ *
+ * @return none
+ */
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
+
+/**
+ * @brief certification verifying callback function
+ *
+ * @param preverify_ok - verifying result
+ * @param x509_ctx     - X509 certification point
+ *
+ * @return verifying result
+ */
+int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx);
+
+/**
+ * @brief set the session timeout time
+ *
+ * @param ctx - SSL context point
+ * @param t   - new session timeout time
+ *
+ * @return old session timeout time
+ */
+long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
+
+/**
+ * @brief get the session timeout time
+ *
+ * @param ctx - SSL context point
+ *
+ * @return current session timeout time
+ */
+long SSL_CTX_get_timeout(const SSL_CTX *ctx);
+
+/**
+ * @brief set the SSL context cipher through the list string
+ *
+ * @param ctx - SSL context point
+ * @param str - cipher controller list string
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);
+
+/**
+ * @brief set the SSL cipher through the list string
+ *
+ * @param ssl - SSL point
+ * @param str - cipher controller list string
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_set_cipher_list(SSL *ssl, const char *str);
+
+/**
+ * @brief get the SSL cipher list string
+ *
+ * @param ssl - SSL point
+ *
+ * @return cipher controller list string
+ */
+const char *SSL_get_cipher_list(const SSL *ssl, int n);
+
+/**
+ * @brief get the SSL cipher
+ *
+ * @param ssl - SSL point
+ *
+ * @return current cipher
+ */
+const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);
+
+/**
+ * @brief get the SSL cipher string
+ *
+ * @param ssl - SSL point
+ *
+ * @return cipher string
+ */
+const char *SSL_get_cipher(const SSL *ssl);
+
+/**
+ * @brief get the SSL context object X509 certification storage
+ *
+ * @param ctx - SSL context point
+ *
+ * @return x509 certification storage
+ */
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);
+
+/**
+ * @brief set the SSL context object X509 certification store
+ *
+ * @param ctx   - SSL context point
+ * @param store - X509 certification store
+ *
+ * @return none
+ */
+void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);
+
+/**
+ * @brief get the SSL specifical statement
+ *
+ * @param ssl - SSL point
+ *
+ * @return specifical statement
+ */
+int SSL_want(const SSL *ssl);
+
+/**
+ * @brief check if the SSL is SSL_X509_LOOKUP state
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_want_x509_lookup(const SSL *ssl);
+
+/**
+ * @brief reset the SSL
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_clear(SSL *ssl);
+
+/**
+ * @brief get the socket handle of the SSL
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     >= 0 : yes, and return socket handle
+ *      < 0 : a error catch
+ */
+int SSL_get_fd(const SSL *ssl);
+
+/**
+ * @brief get the read only socket handle of the SSL
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     >= 0 : yes, and return socket handle
+ *      < 0 : a error catch
+ */
+int SSL_get_rfd(const SSL *ssl);
+
+/**
+ * @brief get the write only socket handle of the SSL
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     >= 0 : yes, and return socket handle
+ *      < 0 : a error catch
+ */
+int SSL_get_wfd(const SSL *ssl);
+
+/**
+ * @brief set the SSL if we can read as many as data
+ *
+ * @param ssl - SSL point
+ * @param yes - enable the function
+ *
+ * @return none
+ */
+void SSL_set_read_ahead(SSL *s, int yes);
+
+/**
+ * @brief set the SSL context if we can read as many as data
+ *
+ * @param ctx - SSL context point
+ * @param yes - enbale the function
+ *
+ * @return none
+ */
+void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);
+
+/**
+ * @brief get the SSL ahead signal if we can read as many as data
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL context ahead signal
+ */
+int SSL_get_read_ahead(const SSL *ssl);
+
+/**
+ * @brief get the SSL context ahead signal if we can read as many as data
+ *
+ * @param ctx - SSL context point
+ *
+ * @return SSL context ahead signal
+ */
+long SSL_CTX_get_read_ahead(SSL_CTX *ctx);
+
+/**
+ * @brief check if some data can be read
+ *
+ * @param ssl - SSL point
+ *
+ * @return
+ *         1 : there are bytes to be read
+ *         0 : no data
+ */
+int SSL_has_pending(const SSL *ssl);
+
+/**
+ * @brief load the X509 certification into SSL context
+ *
+ * @param ctx - SSL context point
+ * @param x   - X509 certification point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);//loads the certificate x into ctx
+
+/**
+ * @brief load the ASN1 certification into SSL context
+ *
+ * @param ctx - SSL context point
+ * @param len - certification length
+ * @param d   - data point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d);
+
+/**
+ * @brief load the certification file into SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param file - certification file name
+ * @param type - certification encoding type
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
+
+/**
+ * @brief load the certification chain file into SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param file - certification chain file name
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
+
+
+/**
+ * @brief load the ASN1 private key into SSL context
+ *
+ * @param ctx - SSL context point
+ * @param d   - data point
+ * @param len - private key length
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, const unsigned char *d,  long len);//adds the private key of type pk stored at memory location d (length len) to ctx
+
+/**
+ * @brief load the private key file into SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param file - private key file name
+ * @param type - private key encoding type
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+
+/**
+ * @brief load the RSA private key into SSL context
+ *
+ * @param ctx - SSL context point
+ * @param x   - RSA private key point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+
+/**
+ * @brief load the RSA ASN1 private key into SSL context
+ *
+ * @param ctx - SSL context point
+ * @param d   - data point
+ * @param len - RSA private key length
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len);
+
+/**
+ * @brief load the RSA private key file into SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param file - RSA private key file name
+ * @param type - private key encoding type
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
+
+
+/**
+ * @brief check if the private key and certification is matched
+ *
+ * @param ctx  - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+
+/**
+ * @brief set the SSL context server information
+ *
+ * @param ctx               - SSL context point
+ * @param serverinfo        - server information string
+ * @param serverinfo_length - server information length
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length);
+
+/**
+ * @brief load  the SSL context server infomation file into SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param file - server information file
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
+
+/**
+ * @brief SSL select next function
+ *
+ * @param out        - point of output data point
+ * @param outlen     - output data length
+ * @param in         - input data
+ * @param inlen      - input data length
+ * @param client     - client data point
+ * @param client_len -client data length
+ *
+ * @return NPN state
+ *         OPENSSL_NPN_UNSUPPORTED : not support
+ *         OPENSSL_NPN_NEGOTIATED  : negotiated
+ *         OPENSSL_NPN_NO_OVERLAP  : no overlap
+ */
+int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
+                          const unsigned char *in, unsigned int inlen,
+                          const unsigned char *client, unsigned int client_len);
+
+/**
+ * @brief load the extra certification chain into the SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param x509 - X509 certification
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *);
+
+/**
+ * @brief control the SSL context
+ *
+ * @param ctx  - SSL context point
+ * @param cmd  - command
+ * @param larg - parameter length
+ * @param parg - parameter point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
+
+/**
+ * @brief get the SSL context cipher
+ *
+ * @param ctx - SSL context point
+ *
+ * @return SSL context cipher
+ */
+STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
+
+/**
+ * @brief check if the SSL context can read as many as data
+ *
+ * @param ctx - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
+
+/**
+ * @brief get the SSL context extra data
+ *
+ * @param ctx - SSL context point
+ * @param idx - index
+ *
+ * @return data point
+ */
+char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
+
+/**
+ * @brief get the SSL context quiet shutdown option
+ *
+ * @param ctx - SSL context point
+ *
+ * @return quiet shutdown option
+ */
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
+
+/**
+ * @brief load the SSL context CA file
+ *
+ * @param ctx    - SSL context point
+ * @param CAfile - CA certification file
+ * @param CApath - CA certification file path
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
+
+/**
+ * @brief add SSL context reference count by '1'
+ *
+ * @param ctx - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_up_ref(SSL_CTX *ctx);
+
+/**
+ * @brief set SSL context application private data
+ *
+ * @param ctx - SSL context point
+ * @param arg - private data
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);
+
+/**
+ * @brief set SSL context client certification callback function
+ *
+ * @param ctx - SSL context point
+ * @param cb  - callback function
+ *
+ * @return none
+ */
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
+
+/**
+ * @brief set the SSL context if we can read as many as data
+ *
+ * @param ctx - SSL context point
+ * @param m   - enable the fuction
+ *
+ * @return none
+ */
+void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);
+
+/**
+ * @brief set SSL context default verifying path
+ *
+ * @param ctx - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+
+/**
+ * @brief set SSL context default verifying directory
+ *
+ * @param ctx - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
+
+/**
+ * @brief set SSL context default verifying file
+ *
+ * @param ctx - SSL context point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
+
+/**
+ * @brief set SSL context extra data
+ *
+ * @param ctx - SSL context point
+ * @param idx - data index
+ * @param arg - data point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);
+
+/**
+ * @brief clear the SSL context option bit of "op"
+ *
+ * @param ctx - SSL context point
+ * @param op  - option
+ *
+ * @return SSL context option
+ */
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
+
+/**
+ * @brief get the SSL context option
+ *
+ * @param ctx - SSL context point
+ * @param op  - option
+ *
+ * @return SSL context option
+ */
+unsigned long SSL_CTX_get_options(SSL_CTX *ctx);
+
+/**
+ * @brief set the SSL context quiet shutdown mode
+ *
+ * @param ctx  - SSL context point
+ * @param mode - mode
+ *
+ * @return none
+ */
+void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
+
+/**
+ * @brief get the SSL context X509 certification
+ *
+ * @param ctx - SSL context point
+ *
+ * @return X509 certification
+ */
+X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
+
+/**
+ * @brief get the SSL context private key
+ *
+ * @param ctx - SSL context point
+ *
+ * @return private key
+ */
+EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
+
+/**
+ * @brief set SSL context PSK identity hint
+ *
+ * @param ctx  - SSL context point
+ * @param hint - PSK identity hint
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);
+
+/**
+ * @brief set SSL context PSK server callback function
+ *
+ * @param ctx      - SSL context point
+ * @param callback - callback function
+ *
+ * @return none
+ */
+void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
+                                     unsigned int (*callback)(SSL *ssl,
+                                                              const char *identity,
+                                                              unsigned char *psk,
+                                                              int max_psk_len));
+/**
+ * @brief get alert description string
+ *
+ * @param value - alert value
+ *
+ * @return alert description string
+ */
+const char *SSL_alert_desc_string(int value);
+
+/**
+ * @brief get alert description long string
+ *
+ * @param value - alert value
+ *
+ * @return alert description long string
+ */
+const char *SSL_alert_desc_string_long(int value);
+
+/**
+ * @brief get alert type string
+ *
+ * @param value - alert value
+ *
+ * @return alert type string
+ */
+const char *SSL_alert_type_string(int value);
+
+/**
+ * @brief get alert type long string
+ *
+ * @param value - alert value
+ *
+ * @return alert type long string
+ */
+const char *SSL_alert_type_string_long(int value);
+
+/**
+ * @brief get SSL context of the SSL
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL context
+ */
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
+
+/**
+ * @brief get SSL application data
+ *
+ * @param ssl - SSL point
+ *
+ * @return application data
+ */
+char *SSL_get_app_data(SSL *ssl);
+
+/**
+ * @brief get SSL cipher bits
+ *
+ * @param ssl - SSL point
+ * @param alg_bits - algorithm bits
+ *
+ * @return strength bits
+ */
+int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);
+
+/**
+ * @brief get SSL cipher name
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL cipher name
+ */
+char *SSL_get_cipher_name(const SSL *ssl);
+
+/**
+ * @brief get SSL cipher version
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL cipher version
+ */
+char *SSL_get_cipher_version(const SSL *ssl);
+
+/**
+ * @brief get SSL extra data
+ *
+ * @param ssl - SSL point
+ * @param idx - data index
+ *
+ * @return extra data
+ */
+char *SSL_get_ex_data(const SSL *ssl, int idx);
+
+/**
+ * @brief get index of the SSL extra data X509 storage context
+ *
+ * @param none
+ *
+ * @return data index
+ */
+int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+
+/**
+ * @brief get peer certification chain
+ *
+ * @param ssl - SSL point
+ *
+ * @return certification chain
+ */
+STACK *SSL_get_peer_cert_chain(const SSL *ssl);
+
+/**
+ * @brief get peer certification
+ *
+ * @param ssl - SSL point
+ *
+ * @return certification
+ */
+X509 *SSL_get_peer_certificate(const SSL *ssl);
+
+/**
+ * @brief get SSL quiet shutdown mode
+ *
+ * @param ssl - SSL point
+ *
+ * @return quiet shutdown mode
+ */
+int SSL_get_quiet_shutdown(const SSL *ssl);
+
+/**
+ * @brief get SSL read only IO handle
+ *
+ * @param ssl - SSL point
+ *
+ * @return IO handle
+ */
+BIO *SSL_get_rbio(const SSL *ssl);
+
+/**
+ * @brief get SSL shared ciphers
+ *
+ * @param ssl - SSL point
+ * @param buf - buffer to store the ciphers
+ * @param len - buffer len
+ *
+ * @return shared ciphers
+ */
+char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);
+
+/**
+ * @brief get SSL shutdown mode
+ *
+ * @param ssl - SSL point
+ *
+ * @return shutdown mode
+ */
+int SSL_get_shutdown(const SSL *ssl);
+
+/**
+ * @brief get SSL session time
+ *
+ * @param ssl - SSL point
+ *
+ * @return session time
+ */
+long SSL_get_time(const SSL *ssl);
+
+/**
+ * @brief get SSL session timeout time
+ *
+ * @param ssl - SSL point
+ *
+ * @return session timeout time
+ */
+long SSL_get_timeout(const SSL *ssl);
+
+/**
+ * @brief get SSL verifying mode
+ *
+ * @param ssl - SSL point
+ *
+ * @return verifying mode
+ */
+int SSL_get_verify_mode(const SSL *ssl);
+
+/**
+ * @brief get SSL write only IO handle
+ *
+ * @param ssl - SSL point
+ *
+ * @return IO handle
+ */
+BIO *SSL_get_wbio(const SSL *ssl);
+
+/**
+ * @brief load SSL client CA certification file
+ *
+ * @param file - file name
+ *
+ * @return certification loading object
+ */
+STACK *SSL_load_client_CA_file(const char *file);
+
+/**
+ * @brief add SSL reference by '1'
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_up_ref(SSL *ssl);
+
+/**
+ * @brief read and put data into buf, but not clear the SSL low-level storage
+ *
+ * @param ssl - SSL point
+ * @param buf - storage buffer point
+ * @param num - data bytes
+ *
+ * @return result
+ *     > 0 : OK, and return read bytes
+ *     = 0 : connect is closed
+ *     < 0 : a error catch
+ */
+int SSL_peek(SSL *ssl, void *buf, int num);
+
+/**
+ * @brief make SSL renegotiate
+ *
+ * @param ssl - SSL point
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_renegotiate(SSL *ssl);
+
+/**
+ * @brief get the state string where SSL is reading
+ *
+ * @param ssl - SSL point
+ *
+ * @return state string
+ */
+const char *SSL_rstate_string(SSL *ssl);
+
+/**
+ * @brief get the statement long string where SSL is reading
+ *
+ * @param ssl - SSL point
+ *
+ * @return statement long string
+ */
+const char *SSL_rstate_string_long(SSL *ssl);
+
+/**
+ * @brief set SSL accept statement
+ *
+ * @param ssl - SSL point
+ *
+ * @return none
+ */
+void SSL_set_accept_state(SSL *ssl);
+
+/**
+ * @brief set SSL application data
+ *
+ * @param ssl - SSL point
+ * @param arg - SSL application data point
+ *
+ * @return none
+ */
+void SSL_set_app_data(SSL *ssl, char *arg);
+
+/**
+ * @brief set SSL BIO
+ *
+ * @param ssl  - SSL point
+ * @param rbio - read only IO
+ * @param wbio - write only IO
+ *
+ * @return none
+ */
+void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
+
+/**
+ * @brief clear SSL option
+ *
+ * @param ssl - SSL point
+ * @param op  - clear option
+ *
+ * @return SSL option
+ */
+unsigned long SSL_clear_options(SSL *ssl, unsigned long op);
+
+/**
+ * @brief get SSL option
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL option
+ */
+unsigned long SSL_get_options(SSL *ssl);
+
+/**
+ * @brief clear SSL option
+ *
+ * @param ssl - SSL point
+ * @param op  - setting option
+ *
+ * @return SSL option
+ */
+unsigned long SSL_set_options(SSL *ssl, unsigned long op);
+
+/**
+ * @brief set SSL quiet shutdown mode
+ *
+ * @param ssl  - SSL point
+ * @param mode - quiet shutdown mode
+ *
+ * @return none
+ */
+void SSL_set_quiet_shutdown(SSL *ssl, int mode);
+
+/**
+ * @brief set SSL shutdown mode
+ *
+ * @param ssl  - SSL point
+ * @param mode - shutdown mode
+ *
+ * @return none
+ */
+void SSL_set_shutdown(SSL *ssl, int mode);
+
+/**
+ * @brief set SSL session time
+ *
+ * @param ssl - SSL point
+ * @param t   - session time
+ *
+ * @return session time
+ */
+void SSL_set_time(SSL *ssl, long t);
+
+/**
+ * @brief set SSL session timeout time
+ *
+ * @param ssl - SSL point
+ * @param t   - session timeout time
+ *
+ * @return session timeout time
+ */
+void SSL_set_timeout(SSL *ssl, long t);
+
+/**
+ * @brief get SSL statement string
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL statement string
+ */
+char *SSL_state_string(const SSL *ssl);
+
+/**
+ * @brief get SSL statement long string
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL statement long string
+ */
+char *SSL_state_string_long(const SSL *ssl);
+
+/**
+ * @brief get SSL renegotiation count
+ *
+ * @param ssl - SSL point
+ *
+ * @return renegotiation count
+ */
+long SSL_total_renegotiations(SSL *ssl);
+
+/**
+ * @brief get SSL version
+ *
+ * @param ssl - SSL point
+ *
+ * @return SSL version
+ */
+int SSL_version(const SSL *ssl);
+
+/**
+ * @brief set SSL PSK identity hint
+ *
+ * @param ssl  - SSL point
+ * @param hint - identity hint
+ *
+ * @return result
+ *     1 : OK
+ *     0 : failed
+ */
+int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
+
+/**
+ * @brief get SSL PSK identity hint
+ *
+ * @param ssl - SSL point
+ *
+ * @return identity hint
+ */
+const char *SSL_get_psk_identity_hint(SSL *ssl);
+
+/**
+ * @brief get SSL PSK identity
+ *
+ * @param ssl - SSL point
+ *
+ * @return identity
+ */
+const char *SSL_get_psk_identity(SSL *ssl);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/include/openssl/platform/ssl_opt.h b/include/openssl/platform/ssl_opt.h
new file mode 100644
index 00000000..65cd4232
--- /dev/null
+++ b/include/openssl/platform/ssl_opt.h
@@ -0,0 +1,89 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_OPT_H_
+#define _SSL_OPT_H_
+
+/*
+ * Enable OpenSSL debugging function.
+ *
+ * If the option is enabled, "SSL_DEBUG" works.
+ */
+//#define CONFIG_OPENSSL_DEBUG
+
+#ifdef CONFIG_OPENSSL_DEBUG
+
+/*
+ * OpenSSL debugging level.
+ *
+ * Only function whose debugging level is higher than "OPENSSL_DEBUG_LEVEL" works.
+ *
+ * For example:
+ *     If OPENSSL_DEBUG_LEVEL = 2, you use function "SSL_DEBUG(1, "malloc failed")". 
+ *     Because 1 < 2, it will not print.
+ */
+//#define CONFIG_OPENSSL_DEBUG_LEVEL
+
+/*
+ * If the option is enabled, low-level module debugging function of OpenSSL is enabled, 
+ * e.g. mbedtls internal debugging function.
+ */
+//#define CONFIG_OPENSSL_LOWLEVEL_DEBUG
+
+#endif /* CONFIG_OPENSSL_DEBUG */
+
+/*
+ * OpenSSL function needs "assert" function to check if input parameters are valid.
+ *
+ * If you want to use assert debugging function, "OPENSSL_DEBUG" should be enabled.
+ *
+ * You must only select one of following:
+ *     1. CONFIG_OPENSSL_ASSERT_DO_NOTHING
+ *     2. CONFIG_OPENSSL_ASSERT_EXIT
+ *     3. CONFIG_OPENSSL_ASSERT_DEBUG (depend on "CONFIG_OPENSSL_DEBUG")
+ *     4. CONFIG_OPENSSL_ASSERT_DEBUG_EXIT (depend on "CONFIG_OPENSSL_DEBUG")
+ *     5. CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK (depend on "CONFIG_OPENSSL_DEBUG")
+ */
+
+/*
+ * Do nothing and "SSL_ASSERT" does not work.
+ */
+//#define CONFIG_OPENSSL_ASSERT_DO_NOTHING
+
+/*
+ * Enable assert exiting, it will check and return error code.
+ */
+#define CONFIG_OPENSSL_ASSERT_EXIT
+  
+#ifdef CONFIG_OPENSSL_DEBUG
+      
+/*
+ * Enable assert debugging, it will check and show debugging message.
+ */
+//#define CONFIG_OPENSSL_ASSERT_DEBUG
+
+/*
+ * Enable assert debugging and exiting, it will check, show debugging message and return error code.
+ */
+//#define CONFIG_OPENSSL_ASSERT_DEBUG_EXIT
+
+/*
+ * Enable assert debugging and blocking, it will check, show debugging message and block by "while (1);".
+ */
+//#define CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK
+
+#endif /* CONFIG_OPENSSL_DEBUG */
+
+#endif
+
diff --git a/include/openssl/platform/ssl_pm.h b/include/openssl/platform/ssl_pm.h
new file mode 100755
index 00000000..e6ce49bf
--- /dev/null
+++ b/include/openssl/platform/ssl_pm.h
@@ -0,0 +1,59 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_PM_H_
+#define _SSL_PM_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include <string.h>
+#include "ssl_types.h"
+#include "ssl_port.h"
+
+int ssl_pm_new(SSL *ssl);
+void ssl_pm_free(SSL *ssl);
+
+int ssl_pm_handshake(SSL *ssl);
+int ssl_pm_shutdown(SSL *ssl);
+int ssl_pm_clear(SSL *ssl);
+
+int ssl_pm_read(SSL *ssl, void *buffer, int len);
+int ssl_pm_send(SSL *ssl, const void *buffer, int len);
+int ssl_pm_pending(const SSL *ssl);
+
+void ssl_pm_set_fd(SSL *ssl, int fd, int mode);
+int ssl_pm_get_fd(const SSL *ssl, int mode);
+
+OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl);
+
+void ssl_pm_set_bufflen(SSL *ssl, int len);
+
+int x509_pm_show_info(X509 *x);
+int x509_pm_new(X509 *x, X509 *m_x);
+void x509_pm_free(X509 *x);
+int x509_pm_load(X509 *x, const unsigned char *buffer, int len);
+
+int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk);
+void pkey_pm_free(EVP_PKEY *pk);
+int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len);
+
+long ssl_pm_get_verify_result(const SSL *ssl);
+
+#ifdef __cplusplus
+ }
+#endif
+
+#endif
diff --git a/include/openssl/platform/ssl_port.h b/include/openssl/platform/ssl_port.h
new file mode 100755
index 00000000..22733265
--- /dev/null
+++ b/include/openssl/platform/ssl_port.h
@@ -0,0 +1,81 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _SSL_PORT_H_
+#define _SSL_PORT_H_
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+#include "c_types.h"
+#include "esp_system.h"
+#include "string.h"
+
+#ifdef MEMLEAK_DEBUG
+
+extern void *pvPortMalloc( size_t xWantedSize, const char * file, unsigned line);
+extern void *pvPortZalloc( size_t xWantedSize, const char * file, unsigned line);
+extern void vPortFree(void *pv, const char * file, unsigned line);
+
+#define ssl_mem_malloc(s)    \
+    ({  \
+        static const char mem_debug_file[] ICACHE_RODATA_ATTR STORE_ATTR = __FILE__;    \
+        pvPortMalloc(s, mem_debug_file, __LINE__);  \
+    })
+
+#define ssl_mem_zalloc(s)    \
+    ({  \
+        static const char mem_debug_file[] ICACHE_RODATA_ATTR STORE_ATTR = __FILE__;    \
+        pvPortZalloc(s, mem_debug_file, __LINE__);  \
+    })
+
+#define ssl_mem_free(s) \
+do{\
+    static const char mem_debug_file[] ICACHE_RODATA_ATTR STORE_ATTR = __FILE__;    \
+    vPortFree(s, mem_debug_file, __LINE__);\
+}while(0)
+
+
+#else
+
+extern void *pvPortMalloc( size_t xWantedSize );
+extern void *pvPortZalloc( size_t xWantedSize );
+extern void vPortFree(void *pv);
+
+#define ssl_mem_zalloc(s) pvPortZalloc(s)
+#define ssl_mem_malloc(s) pvPortMalloc(s)
+#define ssl_mem_free(p) vPortFree(p)
+
+#endif
+
+#define ssl_memcpy memcpy
+#define ssl_strlen strlen
+
+#define ssl_speed_up_enter() system_update_cpu_freq(SYS_CPU_160MHZ)
+#define ssl_speed_up_exit()  system_update_cpu_freq(SYS_CPU_80MHZ)
+
+#ifndef ets_printf
+#define ets_printf(fmt, ...) do {    \
+    static const char flash_str[] ICACHE_RODATA_ATTR STORE_ATTR = fmt;  \
+    printf(flash_str, ##__VA_ARGS__);   \
+    } while(0)
+#endif
+
+#define SSL_PRINT_LOG ets_printf
+
+#define LOCAL_ATRR ICACHE_RODATA_ATTR STORE_ATTR
+
+#endif
+
diff --git a/include/openssl/ssl_compat-1.0.h b/include/openssl/ssl_compat-1.0.h
deleted file mode 100644
index b516fb19..00000000
--- a/include/openssl/ssl_compat-1.0.h
+++ /dev/null
@@ -1,50 +0,0 @@
-#ifndef __MBEDTLS_SSL_CPT_H__
-#define __MBEDTLS_SSL_CPT_H__
-
-#include "mbedtls_ssl.h"
-#include "ssl_ctx.h"
-
-/*
-{
-*/
-typedef struct ssl_ctx SSL_CTX;
-/*
-}
-*/
-
-/*
-{
-*/
-#define SSL_CTX_new ssl_ctx_new
-#define SSL_CTX_free ssl_ctx_free
-
-#define SSL_new ssl_new
-#define SSL_free ssl_free
-
-#define SSL_connect ssl_connect
-#define SSL_accept ssl_accept
-#define SSL_shutdown ssl_shutdown
-
-#define SSL_read ssl_read
-#define SSL_write ssl_write
-
-#define SSL_get_verify_result ssl_get_verify_result
-#define SSL_set_fd ssl_set_fd
-
-#define SSL_CTX_set_option ssl_ctx_set_option
-
-#define SSLv23_client_method() ssl_method_create(SSL_METHOD_CLIENT, SSL_METHOD_SSL_V2_3)
-#define TLSv1_1_client_method() ssl_method_create(SSL_METHOD_CLIENT, SSL_METHOD_TLS_V1_1)
-#define TLSv1_client_method() ssl_method_create(SSL_METHOD_CLIENT, SSL_METHOD_TLS_V1)
-#define SSLv3_client_method() ssl_method_create(SSL_METHOD_CLIENT, SSL_METHOD_SSL_V3)
-
-#define SSLv23_server_method() ssl_method_create(SSL_METHOD_SERVER, SSL_METHOD_SSL_V2_3)
-#define TLSv1_1_server_method() ssl_method_create(SSL_METHOD_SERVER, SSL_METHOD_TLS_V1_1)
-#define TLSv1_server_method() ssl_method_create(SSL_METHOD_SERVER, SSL_METHOD_TLS_V1)
-#define SSLv3_server_method() ssl_method_create(SSL_METHOD_SERVER, SSL_METHOD_SSL_V3)
-/*
-}
-*/
-
-
-#endif
diff --git a/include/openssl/ssl_ctx.h b/include/openssl/ssl_ctx.h
deleted file mode 100644
index 32c6be5e..00000000
--- a/include/openssl/ssl_ctx.h
+++ /dev/null
@@ -1,71 +0,0 @@
-#ifndef __SSL_CTX_H__
-#define __SSL_CTX_H__
-
-#include "ssl_opt.h"
-
-#define SSL_METHOD_CLIENT 0
-#define SSL_METHOD_SERVER 1
-
-#define SSL_METHOD_SSL_V3 0
-#define SSL_METHOD_TLS_V1 1
-#define SSL_METHOD_TLS_V1_1 2
-#define SSL_METHOD_SSL_V2_3 3
-
-#define SSL_CTX_VERIFY(ctx) (ctx->verify->ca_crt || ctx->verify->own_crt || ctx->verify->pk)
-
-enum {
-	SSL_OBJ_X509_CACERT = 1,
-	SSL_OBJ_X509_CERT,
-	SSL_OBJ_RSA_KEY,
-};
-
-struct x590_store_ctx {
-	int x;
-};
-
-struct ssl_method {
-	int x;
-};
-
-struct ssl_ctx_verify
-{
-	int verify_mode;
-
-	int (*verify_cb)(int, struct x590_store_ctx *);
-
-	char *ca_crt;
-	unsigned int ca_crt_len;
-
-	char *own_crt;
-	unsigned int own_crt_len;
-
-	char *pk;
-	unsigned int pk_len;
-};
-
-struct ssl_ctx
-{
-	unsigned char type;
-	unsigned char version;
-	unsigned char option;
-
-	/************************************/
-	unsigned int ca_sect;
-	unsigned int crt_sect;
-	unsigned int pk_sect;
-
-	/************************************/
-
-	struct ssl_ctx_verify *verify;
-};
-
-
-struct ssl_ctx* ssl_ctx_new(struct ssl_method *method);
-
-struct ssl_method* ssl_method_create(int mode, int ver);
-
-int ssl_obj_memory_load(struct ssl_ctx *ctx, int type, char *buf, unsigned int len , void *attr);
-
-int ssl_ctx_set_option(struct ssl_ctx *ctx, int opt);
-
-#endif
diff --git a/include/openssl/ssl_debug.h b/include/openssl/ssl_debug.h
deleted file mode 100644
index a4047b0d..00000000
--- a/include/openssl/ssl_debug.h
+++ /dev/null
@@ -1,14 +0,0 @@
-#ifndef _SSL_DEBUG_H_
-#define _SSL_DEBUG_H_
-
-#include "ssl_opt.h"
-
-#define MBED_SSL_DEBUG_ENBALE 1
-#define MBED_SSL_DEBUG_LEVEL 0
-
-#define HANDLE_ERR(err, go, ...) { if (MBED_SSL_DEBUG_ENBALE) ssl_print(__VA_ARGS__); ret = err; goto go; }
-#define HANDLE_RET(go, ...) { if (MBED_SSL_DEBUG_ENBALE) ssl_print(__VA_ARGS__); goto go; }
-
-#define MBED_SSL_DEBUG(level, ...) { if (level > MBED_SSL_DEBUG_LEVEL && MBED_SSL_DEBUG_ENBALE) ssl_print(__VA_ARGS__); }
-
-#endif
diff --git a/include/openssl/ssl_opt.h b/include/openssl/ssl_opt.h
deleted file mode 100644
index 3187cd25..00000000
--- a/include/openssl/ssl_opt.h
+++ /dev/null
@@ -1,32 +0,0 @@
-#ifndef _SSL_OPT_H_
-#define _SSL_OPT_H_
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-/* mbedtls include */
-#include "mbedtls/ssl.h"
-#include "mbedtls/net.h"
-#include "mbedtls/debug.h"
-#include "mbedtls/ssl.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/error.h"
-#include "mbedtls/certs.h"
-#include "mbedtls/platform.h"
-
-#include "c_types.h"
-
-#define ssl_print printf
-#define ssl_mem_zalloc zalloc
-#define ssl_mem_free free
-
-#define ssl_memcpy memcpy
-
-#define SSL_MUTEX_DEF(x) int x
-#define SSL_MUTEX_INIT(x)
-
-#define SSL_NULL NULL
-
-#endif
diff --git a/lib/libopenssl.a b/lib/libopenssl.a
index 539d457c63bf099f19426bf95f8b42ff88e231fd..c69fb1773fc74d343930fbc631a0ccf289498a96 100644
GIT binary patch
literal 99006
zcmeFa4}4WenLd6_ZfMiy(n5$x740RY<<cf;Zko11p@#6M!9q(RrPQT{kX)MB{A&_g
zx{E8dSXsptTh?WF<8De(QCV#(>$1D7n<BE*rHU1mDs{19r7pFIs8p%>J<ptZ&wbD2
z25!Ip+5LUL`+hQ+XWn_|nZM_pIdjgLJ861TPjl<_7haW!N~*f%+Egl4ea*B)qS8d^
z|B1xasZ^jyEWgn6ybpU`{9PG0VUg$kuRD7iJcBm+ZQaj5;dwbaf9yTp@7ygZ@qBSj
zf9?7IXRfiax3|5qIo;FO*qOf9%N|(SlTLeGjO*=d>PvStwskh9dwRNhyv2*>H{RRS
z*%yMw&aS@Jw$3{<ik@^+OD1%0Pg`F)6I^{w<+R53uCBXQbsOcK=|08Gkjc@+&1zU`
z%E&y4O{pZ%OH&l^o^(%dTUTe8z)(Qnk?w2l3d+HHGFh0urK_>Esk5cGwdt;)Xw6-n
zo$2PFQccax>Fxmbwyx@H>AE){Z*EUF1@+HVFsvJMwIvIy#nP!#NP(5glvU?pY_y^~
z-Pt0I+uGFIsKaa$Q>ezS?mjd@Z=?-e9jUc$cuJN=TevA0zcOf1!XAb1wU|j16ceh&
zME4hIbhxRV!?Gpa+l*1rBlRAp#rUz~Er{y7uRA?FfzoCY^qA45jU$?j;V?U`$e6JY
zSi6?=%BEHAXcUb7#uckpu1xndwx@%ElS_PC=gO|e=BD=c6-~`|h5fjy8-y!OkR-k7
z=2aMR_ksDIbbDr;4Og>RwsG55-q+aC)e?+zDQ;g|N4jfOFv!JL>zJFVN>i&G%#zem
zn~}guM=j5yjx<#!6|-a!!rJQcsJir|d(qHg6RDUM9JZ}t1o<$wSp7^yR_m;mQr&<e
zER+p4%wLQ{uPxo#Cr3Cm_oN!DvT9RVwbArAdE9gLa69yQ5AuxWlFF*B%Bqc~4|0j>
zSQmRvl1fB^sc3BG^o8=;z*3&nEuOPvVdKIZ=iDyg#>P;?^KkZnIWxCZwKXp6X}bp(
zoEy{kg&n!7H|?sksMudob>qy%H>C{ANct>kR<^YVBhX0`>Ltyh#WOQy4YKNJTHS~X
zNgqcAkA0s1yF0?GETE~TRc9_hRuNuoY&f{y*nqj@h#{^CLN3>XFv^^NZHS{CXJZu#
zuC3-8jN<gRcHN6B`^qj)H0&Y4rmzxd@4_{``>ynTQX|2}N&?186@@24)e`FHvq$mG
z3+LR#%VzIgrkSF_#?Dpk?Vi$^yc!#qa<pa2ZWS!Li3x!*=b)lG98OIwEpnL6nrXDd
zHPXqPCAF<=YsQES2a>B}rCeQ>^wH6%5@aH>r3%L#$D>XaMlk>GG)@sJ)(fX~6<xu-
zhQ7l{RaW9|BK&{twbhA4)wG(L;GSgph3}a&f3ENQxX}p2_ulDcLY}uQ20dK0iB5X2
z_lms<!12I**#Dv@Poz!{Jv(;dsps<IyPukLLCXKd(4gl%oww`x4R<8V54~xw=arB4
zPf|IxtbYaY3E~-fQzw?k4?mnN^Iu{(^`oKk`1GUxe=!ixJJ0jHg4DiAhsG8?IcD?;
zggg&<#q*HCt28M{Wg<*$@DDaD#M62GyGu%Z{}q}di_<2HpCgN9EkOZEZW%bJ*}xUe
zs%;&7!>n0vNhF(lFmLYb>S`~)>4rqAqN=i@a%!TwqNbwCG*AL%U}G-DX`;8OaUPGp
zTNlr1oLRT{=J~fa%xRoIuVK!jne!LVsJw7y-Mkqo-ta*t2A-F1{V~?3-cJVcmjUO&
z&9rd^7GDd$1nyoq=1u)-xI#GUAAqA!PhlS9q+bk2PIfRwY?wc7=vTqfrVfrGHpKa`
zp)fCE4idp$MeltbeN8Li_w@vRtDtt=HS{#KS2(vT6{438G3SlpT664Iv^4cKc@-;q
zd%cRDbbC`pUwU=lFvd(wlrxJyU~TK^>M&GZMRQk22Tu21#cI=?73O3b<b|A2R+}*b
z-9261Y>3?CjWA<Zag0-fV=ch^FT>z!;9TtH<!JXW=dfd5l;v>5F*u4_KCxSgI1Yz%
z*|BNdddRRuR9N4;6sG<d$jgxMb-?G_I1aH7z-hjn2+I%#4Ef%tF!jYa+)Ck-?*cfs
zGx@f_X}$vp%Www_`97vF^)=wz2%mgr*uy8^7vRXp!-i6fz~lg$|I)utB1F4N8+RQ7
zB^J|T9NkyoSbve*p{$VreA-YB!wF{iBM9hrk+^RoPRc;LeX3o?*f`eXML0<V=zR)-
zK>{lhcNAgGcN~0!(6L>LY#jN<!pT?x^xDusCkd<wAAM;%MxDZevKGqmz!$?YFP4*i
zsQLOZUizRD5k3iL^J9^gB_CNc5;Hxk!=p0+pjf1Z7}h0cSeKAt-BJvXa`;eLB{A<J
z6{0;`AR{r;5;|ODO2kXYop42{AKOZV_)QXk&v2O&zRn5Hal$tv%v$jBQH1td2A@2<
zR1~4T-UVO8<n5g2yYE@p)zkM5+z@v)d(JI{n(&2p6Xwip(#+-3Rpd+_28@xJBO1i=
z`KqY}UkW{sN6PhZ#IxY1EoKsqA?jDd=lRVymGHa@tEY~*(CT>!7JD9-#53V@%=;Yl
z5avNWb;N~Mf1}kif71CpU?6N`+EYhdX!U<&^(-6P-yes6kVZJ#Q%78A^*sK4Dk1G~
zw4si;(CPs_-wrFD$BOL`CN8vkV`JO1j5c;yUt;kz_@>QYPfO2xGaPNGBQCUh)1J0$
zms=a^h^5SIBPlblf#ji%I8tWRg<?2unN1tovN2Akx`xx*n>MkyRM}K2JYC^>g&T-%
zUdt73SD1a{+cK<Ec%#Do#B3bMHaNjM6z14&Z(AYL{KUED`PJ85bIrA8qJQpr{`#57
z2xY8>hZ(Z>3-4#%hTZiK#m5!Sj_1`*egJdsH77@(*ie#ue)I_<kMYkBi#NKuJ+InC
zCXLno<{UbcHU5Qj_FYx+{1?WhZWuQ)n7GGFk5`q){a<qO9<PosPRx4XL9|&-NxY>p
zl^<VJS@*z$NWbP(L8?4IoX(SP2JREqoZRqmvN>5&zq>p(n6GXa*oWB!>7E^XLF%bV
zFZ$2r?XP;!j3v37S>&H$F<#2sUX?mAG(E3wV7LEMYBoGkGy2)8rxv|fH!W{&zE^&c
zf1GNR+uq6qw=u_jbGN~<q$R9-|1%{e`SyNgnYv%88~A~H!?Iz^h6koq)x@Ud#f!qe
z$xBwTk2r2Qra8vraFuYcMT(w0^6V`a-2GJ3i!)zIp%seuUgf3!YiL<s-6L`TC#=}h
zdE<9qh`Y7;?un=T9|vvHzuSM2=+(Tb73CN0e>rtzsO+f!L(>iy?;RSNx@-JH=arP_
z``@Q(>h$q-`N=!{|1^R5+fUYvPR^JXuPL9}K5b&Mq^9H9Wz+W8<dw$<W8VHP@uI26
z%i|B4%V2W8{|zQePWPXoe`r^-+&@5+`tnfu=;@pMubRN_p~135-6J#n|6nklS8(^f
zrbD+Jn|T^HjR|u%$+j6uY@a+k7F8|EPp&|biol1`Ab&FokpIuZ{LLsx9S`z<+2oJL
zVE(rRLqXrig8PCLhRlkZ$u*O~XvXi!=*?_k(-Yk1&c*nC?eX>=_#yv{X@GIpJv27i
zj(Xs5LZ&nF$oexJHL=W56CQ`pj!o=NY=5u+YbJdzZ)H)!B$Xy0P0%;-SmGNGkm*%0
zjn3SwoA%?8^mN{H`TfuIf4+ZHylU!kvMeeY#g-i9efyz;__%4uZS8d01J8cs#rt2m
z`+~=xdgQshS7R^b?_aUz<X&^R96xJleDP4cq@?4b+C7OyAK#JeSP)N^{QJlA>OQ`s
zb;XQ}Z}-bb51!{O^*>RRm)JkJVNK#~sl?TTA6@+FM<4n%2GUD|6@vwj?|bCXM~>Zp
z`tG79E6rHgke6I!&To0i6-I%9Ve0Ure?f|);HB8Ehj#VW<RvefGVTf-*k(0>EpvI$
zGNw_J6)(2yhB+_Kd$B#v<&RAJ*pmSGab7LS9J|wiO`hS{=snxm=+6tr#)7=~IG$r4
zw#{hQGZy6G)VFSFX=O>}!jdslOUXThx>#~Dv59X;mL?`AOr#07)EC3PwgihU)^?n-
zEv9WT6v5a$$?;n^`GTqe4`<c~Q6D`<f2TJ6MIZf{SHGgZbm_WyJ_b&_C{kII*YCgv
z{gD^+hgm1bf==M40-q~{_gw9*>b$Fyj|^|U(Ywu?>)q<z+tky^M_DVe7}4%6oOjc_
zh6HWrEL!B<dee=!-IVZV-!`j$i8p%@|2Hg}W&Yhbhj5nHaNFY9_%~}25tX+sHp+TN
z<KJ!dh*>mu-c81QF%$;hHft6!xo(?fl96i>xfYRYk>OfIu0@MU11=Qm<{J~<iuB5^
zo^%4CL|bQDUt3dq+aEXa0i!n?6;3706Wv5>8guhR@H`~ZlfHXZy0_07aIrdjylJAV
zz=9O8QA?JVDQHAxVIHz1u<)EnuWrVg`JHAZ_MWSUnJ6wr5|lM~;E`zQ>eQ(vu9we`
z6Mb#Xccsm9B}*PeE84J@nOX!kBb06!!ARvYO*t$wXkcmCOrAl@1?}RdG;u4@YrU;$
z^Q1P?P^S43&28PS>7GPyce;64o>`LGTAVwrZmG;uvuI<UwKr`}fsJBQr8M=+-kUnA
zH$6h1Y9p0HmY&s?BlNE}QDh?&*X^oEZNtb!XZp@A9CAF|64D!q-c@)fp|^J>o`>A$
znQZx3Hr*586<sY>YX<nDdT&vkw`jK4+}_ojPT=(nJOjmPDZLs!-j{B{gSp<`CLBjA
za0K?Go4a~i5*<y=UQ4>U=RWfyL1JYS9)q=j-9&bwH&?cI-AjwEj&3}<F$WBdR`sO4
z@IjVIMonjzKC(?dx_wr4_O9yg#_fGNat82}4a#*-*Ig)r)}aDzJ&sP!wr%b0={uX+
z6WvWcO?VKArm-=JSu;Jp(b3zRXi0arAvtT&l1>D#v)D@85OP4VkU8HzXf~%jEZg>V
zHFvf1{AAuUX+!B(;+YU1{wCy!yw`@uem$KiKtPM9H9d*urq1Rx+Y#;2lU5yzvSnHT
zOVW4}z_Y8a>#EMK6@5)@olPt7JaSbhd*aT{wm(LTb)tT5lP36FZ&fb~-i`M_hR5U8
zk=DdLP3@~lX0A_(g^O=Yw4q7*@Irw%>n88k1zz0(Z}u#2(aqlMxnBKT@1|K^-7N3c
zSstzzv*viSZuRCZ^w69$XM3{|yxp6#$XmF?o444THwVu!yqj=6gZ^e*)x5ezUR}L+
z>q1=ijqv_^3>??zCc<ssU6WV$Xl&9eLpO{oDS0$+%DCc^NBt?|#!WgsH1n53Ro{5E
zvXu9ilTHqeJ~8R1_!r!>AgPzA?5i8-opfgCy6W@sKXLUyGRAoFQbvlOg1D)0SJI|t
z5|Um%u5i+?hi0A`s`}DzDoY;*Njc)Kfg{&QHj+<&U9zX@b7QW!8XUj4x&Z%Cl#<Dw
zF3Z_$-ikcx;O4=xp_afcgKL80x?DTl-EjB7t%18Aj`OGw!fk~6C|p0>7C5dC{5{;~
z;da9PE8K3leQ;01Jp=b`I4x%Wn%5M=RDOI<-2auiEjc{2q$)1+*Roktu8yaEHdI+M
zkjxw4l1A#ALwl26>ZPH%Q+Us}_cAYaY-nz&mwI7nZ;6-s!O+}EUh4ZpdoT4;-y53y
zW-oPkXzxTX_3Y5xH+rdW5AD6gOC21VJHbmmGqiWSm-^b!+}C-jr-$~A^HN_Knp@<h
z_6_YF!#lOP7kjBM4ecH6r3Q!Q#=X=RhxT6RrT%4T?gd`zpN96H@1?#lH1|9&wPR>+
zzL$D@Xl~3)eQs#4k6A3*DD|nK=$*?SVJ+vMQU15X-wS^~9M@6UE{EX0XTy1jFMu0F
z_$b_u;V`tY_7T{hfqxO=xkk1S?hSAWxXa=A9HI)Y2JU*e*>KE5IEm@VMIPoU{eK$x
z64+0JV_E+cZUAl<+;`!I;3lF2YT#~#>xKI;+$Z6lf_olr6xM2zaP#51;64ENIk;!x
z&cMAH>mqM~yA4i@9tTyU?Kt?((2|p98wcMQ+IyuL2UnPJfH8q_fH8q_fH8q_fH8q_
zfH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_
zfH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fH8q_fHAS%jEPTY#>7@<Omv}5ccUTR3ID6`
z55nz&`wrX@xZ`jyz>PutcsL$QC*jyvzk$n#j`kPAFM*o~*8-P>tAMM9dkfrLxcP94
z;FiKMjd0f5FuBOHA#d6io<D;7qlY&1^0uaaYh-O|Ls8WVEb4e0-dj`j#;d0l$qEnd
zPpYQj4rN1KvP$k$pj#2%L$0WQ@3i-p=ZE2v<a<M$Hx1b2|B&%@TuBl-yS}IKisTd1
zipp{BwQ&sRWx_!nf_03~XSr8J*`5f~=1l`e{&gk1y$seBQBUFxCDT^S>)|@%wB7Tb
z8GYj27{7l8_b}YY;0E9xh5H2DM6~U>+~;$&!yxj$3HPIO*#Ghz@lu}Ac#Lx?Tm{_q
za7*Cc1^1_L55aAP`yAZA!hHo!(v9RF%E5+d{|k0!a<DBr@7#HkZ&HqSSLJ9|3%ez7
zU2ylqJp#82?(1-+$nRY4V2*a*hTV7Io;!#Ak#odLd42%97vNrmI}Z0U+)22f!<~lv
zHQaCD{PS_HfRl71`RC_g!?YK|ZgdW|V{)(|-?$v@#^-2v3G61qT?$tMcNts~PM%dX
zBhTLh{=L3_!}%*^Lg1OXEMct;^SGeo2VTy8v9%X|@#9u6zUakYYvb2jpPru#0(=~Y
z>413(j7y4n_B94R%T@yC<_T4p7Q@w~rB7jg#F7?|?Ttt|82DY}%kr_z^eN=ewakCW
zv@93vOaCf3miapB;HayCWBaq6Z-5hhJuq#le>)tXn-bp&M`2nK@>BQ>o@wM+yx4FI
z(uO`C`O@YJ>(izTE(J&aJK!kP6Vs<Yt#Ajhlz9y>g?1FSE%Tz!XRFL>792%vh-pLN
zBN*D4M=|heLoDNm<)vgxOB<#YpXJo!5J9gNj(O4NIHr9A9EF_3b#T=4{)j?7@f<kn
zzYB-yu+ei4&iE3z7Zm;pF#DDI%h-t!+EI9{`^muPvvzXc3r7(fV%ku~!O@1kj0cvT
zZ;_DS?O)cPY3a+@raguHe~7e~BOjKT<BGz3WsFhJF(zY}?L?ssMVFt)1MR0X0zw;N
z>Pq0QhZ}A2jqoYLL+mH{KX{jdX(~)8upt(nN?<7u@2e@<c=)~%)6mD1$dus?@MS!(
zFZdjZWg|b&zr=5Wd$Yw$;a_4g@6RdO@{(~ZK6%{n%(PNRu@gU=J>zIkU&b@n4=5}H
zF)p>H%nRXDs3*>YBj+MGIo_LqDcQ=;vNDY>Gcoff&xLT5Y-yzq;?rL9n1uM}Cj<1`
z93$)tmQx=`#BzLH9%PZVoN|1L&vKsa9L2gaFY#%AwszpyroH&IXWLV<wcAC|(_Vbq
zvuu=X_EHY<Y5%({&+Ea*^3a!a7q2_gwv&J<*~<3cm6pdd%S@lbvJp#}CsPT@R_6b%
zv^+LgW_^qhk94f@8sH~`Yrzzomgha`Bc5aB{5BJq!uk@6elC>|X$Sh`q(2^x<>5Jx
z@>*<o&Lj_g83S&c=VHS=r92#SEKkDvCGhDe*~*rS{aU0YKm95=@;_mHa_)d*A26SP
zhNDnVOg-%f;V9G(!ijz_Fok+z(eI}cLOrqQpP>>$J+bHyQ3;`*SoEB?P^c#s{ZT3*
z)Dw&T$5cY7Cl>t)Dk0Ppi=Jzg6zYjZe}+m3^~9p*8YhK%V$pLgl|ntS=(&bUp`KXu
zTvw$~Pb_+_vr?!h7JWkLiAB%#SPJclMb9-_3iZUI=ejM0dScOYEtf()vFN$JOQD`v
z^j!0$P){s+t~*nxCl)=|kSWv?i++jH6U#BnwP6bFi8*iKIOH0p%zxUH4Wf+5XBg`d
z@{^uNU&cJgGdak)3yx*rnBNUYp`KXEwvS2(^~9q8DwPoGiA8^qN(lADqW=z+5bB9V
ze*~C9{Si3PzW_|3o>=t9sf18ZEc%mFLZ~Me{b?#8)Dw&TH&jBXCl)=|W+~JYi=OMX
z6zYjZ&$V3&^~9p*8Zw1?V$pNmm_j|V=((m$p`KXuTwkV8Pb_+_Ia8=77CqOYDby2-
zo@>(->WM{PtMtU8=Q=ip_Qay++BSuHV$pNGn?gOY=(z??p`KXu9K#gqiACR{^u(fn
zm(ml<F~W6y3VDd-80i6)W8~e+#u($D93u?-$w15NFOLoJd0a4m3i(CEz6c81)0cTT
z=cklx_AE2)#V0@0QL@>`p{G543T=p4KBhg}Tv6IheA-JM;zQ;6N&XMwn3u%Sr<1&N
z8K5>IX(bQcR>YF_Y;#n`F<)&%ENMA6rbxMne;4_ZpZSW<_R-}>(1_$EcH*DQ{<mq9
z|E{#ZO<(*rX<zI8AUj6-<+o`o=}Ym?)u%jGIcDhdl=51R5jp0?XI^JJ_I16OC++1J
z5Fe_n?Qk}GecpR5*c_9|;QS+a0`eDJs&J*kyf+b>dWCcO95m~mG~wr;cu6kUoMxCN
z+@)rC4Bw~nhO5o{Sy}X})dn_^RQwP-c>8CVI{559qUOim{8D|G(tMgUOv^ng_{>D!
zLK<ek+-YEUVTi;J%V&5VksWa&iDhe?h|=zn6VZkH7eutdE(Q@*mIgQb=tPWIA9g3&
zDcVM7tEjY6wni}NWNV#BRwh-}7};GRVy?I0iA1nVqr2)1i)JBYi=APSEJxPJvyhHR
zI3gKSU{i=l?$mLwo?%LE+7nTdHk)o(Y8nnpoptmw^Q;lW_Wg+#Wmt5uD^H}j!}kX|
zdvq3x$o@dl5=5f1B-L96MN{gSED1T1*np9(a@4LukxINK!{|Ok5gul0Hyn!S$uI9Y
z+MS0Y@$A2|#go_eakv*zgg|O58~zN7Wa_MuEE>-ycJrZO3C|W!(zB(_B|g$W!B$3*
zGBAI$r%_fdH(-iHs8+K3qeP;eh75K!8fL*faX4l6J&IVUEV86Ods^wIfIV9DOiC~N
zt_#^O+?hQVGMDb*y3EBpOI&a@$r52N;8|iKm+)vj+s9tShez1Ucr=2oVlJ@5)xl+U
zxSov_xtI?(VL9~WJZh08zifF$FX~Z>@Uk9N%Y{9v&0N}}dV6t?DzkP-aDk5+vX0>;
zet6W#)tB~@%Y2r!;pIFUXHt$37hde6Ng|i~XcW8Nxi$|sU@gO|`tWF$XoTpqQlEwP
zER;;e%XhRK)S3(UaJ9LFN7bYs&OvP!4yv<ogxC9?F7DC7{a;cQschxSScV(8aLf$5
z_`7L`8Q9Bgv@TiZ2j?)zN)wp~xFv~1W=*bV12(m77gjY(tl7uLjnmX4B-bV(hn&_U
z7c)KCh_(oO^fj0|6OJesvz94GG={mjlZvPX2kqG{$WAMJH8h(bIwN1|9?mYJc?iP@
z(Pqr6>BsQIXSXoN-C5J;W)bNQI}M4Jh2;n)BH8t3DiV!SEhm$asDU(&ZC*Q_7;eM7
z&t{`C%F1!B^wNhx9`4bXNgX}1W-Y$0VOD+VwUt@b*VJTJS7%pOc@=+vO`+b1wGyr|
zaUF<K9eCk?u31s0!R2Dd_ib{qOXp~}CP%wXIodsuquo<E+8xQ!?&mq$6{7KSX+J(^
z%*Bq+PI9rkBS$+v`^bgw&vLZ;+Z^ql$kA?Jj&}V11%Kxp_b=sW#|7J5_%6xO?wTC!
zZpqQ^t{m;&m!sWZ=V<r&9POUT(eC9O?c#VqmrH+4$<eMhN4wi|wCl*x?!7tM{bi1J
zpUKf~Fh{#@=4kih9PMJb;N;S8B{|y7&CxEMqaD8y%B6f;bF|x&quuv%w0kv2yDRX3
zD3^LH&e5(XN4pQ?X!q$H?f6YoF7@E|O1an-U?P-@-DNr2&CJoRDM!0^=V<q_9PPfG
zquqCNwBw$MxwId@56Z>vnjGzJ%h7ICj&={{X!p4s?ViL-6lbe1<0$`b`Ea^4;?Bp#
z?rGTZ`RuvuzMZ9f#g>~MP8UX=ft_F~wqoMVcQH=EEr4Sj!@qR+<XJ1Cj0nd`hwm}P
zcQY)7uMm~c?b3j_Y~?!-cEZh!b}7DF6yFqwuXO~z5{GY};#;ivY8^h9Wi8)Z9lnE#
zkKf}+ec$2mZ5)B`R)_D1;=4`p{jtNh6>-c@MA~eX!*?8f%$xmtJDim7VTbPw;^ZB8
zz_1Vg+~HgE?#y`M_bbA;-QnZAXvjJgDc>g@zV+bayP7QD9dN?;C5LY_Y-WXQneu(n
z;p_j?OntderSN^%;X4dIzGo#O<@=VySN5LZTPc>W2~PNa<M5pTA5Mv(2;VCX-)!*7
z@z$*P5_rKJ6d}iH1mxQxk_z7&VJDdSh2UF{xiZU_wsz#d+Tly!1adF*BEnJO@Ey88
zc$b%acf!$*d^b3Jo57cDywo{-``(*rzc$6!?C|Xzf$yCT-x2Ul2M^14m*V?lhwsn`
ze5)M3i4SD>IuzeVhwn7_u0y<twBH9EzNO%+hY`!y1t;yd&Ecy=1lLeRgzr&@Z$R<!
zdm-WbSBGy6BIMg8athy0hwqrGZ?EF}y2G~<1oC~7=G*V^m97i+8ex4`DZUpRzB0_q
zvK=4aclb7fPmT|cSJs1JA20pr<D+^6zB3MAzv8=3@m=chO$T2S;zgJ*<qfbC%<wkw
zwZmt9{{)V4EZ+==ZvcEyg(4i>(_1hji{F>2FHVIa-|Y_H_7Upa;P53BA5IM+-ztZ1
z2l%obzugXB8Tj~K7VC>sL&&$m;X4Sv%MmXkb$q|WHyeC%{9-7Ee4ljqxaUB&^Ya#m
zZ!P#_ya0xL+;d!ymoXT8P=zAp`;x=ALGis`@%_l*n+QJn7K^09_q@ZmS@Hdu;yVv7
z6YKJofe%y1P=wEionS_8ReT>rm~pKCWQTA12=#rl!}plt`;g+h-r=hsp}x}`zFms%
z!;0^Ahi@tPCLvx#>e%4$?E{~TzmLFJ>f7b;tr>yuT@K$7#rLq{d(hz<7=iD8hwrrF
z`wPYQF^6vt_$EtbtsR4#9lkLS275j5c>7Ch$Nv4i!*^^1zRx;*)r#-06yH}IzBuOb
z*~<52hi|Fk`y0jgeTT0SeA$k-!w%mX@X7J}F~#>Y%U1;*<t^a55>AB24&C`ktdFBs
zyx=`ojNr?-%7dL?Mz2S{+u*aE2jFB}l{kElf$z<T7ZHv(IeeAx&z#q`z*zWZIeZ63
z;Je=8Ygc?*6<?dfcLIFb`mM#`+XlV{@UXt0P<$V7_=<5-%f|OUhwqHyV>?QHA9MI>
zz*mBJ5oy2AID8A&XXZ_xhOzKH?eHxdfp4F~w^{LRS9~u!d~3lc-#oF5QobKMd`G~y
z0g-IK&nmt`e4NYimj_2Vj+6MN0Gj{8cOL8nGol?Q+g(UVzQ^Dghb+CRmhU`Z%G$A>
zC*PYeEF7f{U-HBFJ_?cK<FhZ}d%NY6@^K@9Y~`Ed@SVZQQOdVN@pU-m+XOx-E6l?3
zwK{w|adKq+SiUb<JBIrmzJBms0=<aT_b(m3J>Zk;!cG`VegECz+X=q&h0NM9xZB}7
ztjfo4+Jx_z!#4=NY}e@@IDE$x-!8?MhvQYBuMU8(fCaK5^?lXhJEi!(2wN#%sl#^&
zd~8<{;ky)ef=%2<GyO3Lh49UF_>O`v+j)GZ!xvY4yA@xX!*>FFP=z98YH|1`D84<4
zZ@t6EMVf5od%)o<ReXCD-zOcuIQX)S=PeFjrQ+MC_`dA$6_3C-=<rQfd|y#~KXUjc
zj!@s{9lm<Sw_ov%!ud{*zvKvfoZL#^Ai39|_`a(6rZ{}nBk+|te9INz0mXNV!&eJF
zR4o)K(|m`oUGY7m_}U!4g(L8_IDD%W-$BK<&f!}QzHIkV?{WCnfltm?-%@-Zclg$V
zFWYz?aQOOF`3@<*ryRZw;LA3i_c(mp6d%8*Wjpgc@{+^134GbkFUK6d9g6R;;v0>V
zryhR;;LCP?E`Xi%HIjRSitl@huiW9=2EJ_P)1<?<U-2DLd^b9LkBz`L*Wo*)_?}mM
zY0D?q-<>10-*SiVDELaja|-UL;#=eJ?HPgZUWcy$Hxt75g5rDF;X44n1MDCx(g%O;
z@RfnDdsI-qW3Z(i$Hk`|zJc-C`9ALO_4jA^eysR*IegtXh~9~K5h>rlTf0gd@m1KB
zh!K2NiS7XG^msb~yBf!i!RIZXL?tmP8IS;cX`<&~CuLxCd`o8i^ksylU0!zh_JMC7
z+D1h9e(dm_0Uzx+4t@$Je3%x7&xFXau@c{-Bdv(=(U-BuxYKvyH(PM5{u~(8hL6dx
zY!=~5V)5-y(7z(WC*f><%sfHL#Kg=mOX=_}nE+7CTkM2yb;7qf;oF@spFm_J7VcOU
z=wjxVs&sr)CIA%knw@ak38S%;#Jn~YV*0zBaEBA_a>92z;a(@a$_b+rl*GLIREYU=
z1u`Qsk1L27iFsTB%t*|v;OX!KnE+7Cd!G}2zZ2#PRz_lGH)$RIP$mEr^FHi^KjMTR
zcEXtCDv6mDkc=Yc{Z%Fa6!W+Ok&&3k6@-k$yuZr?fMSs&m|-3P8HssYGXbEOxl_)l
zVrIoahd-SO82jx`__I#<F(=GBwT#5ft}#0Ng-ie_W_IV!sAA#HGJ!5;cHq$Qyi>?X
z%p1%EfMVe;9f3OL?Q!DwI$_RqGZHhu9I3<mGXbEO*~ufLig^bz0Ta)eT1H}KhYub8
zRwe)xGrQPiR57#jhYoY5k&&3$-A0FxWCB1j?|CPD)Cu!SnUR>sD_urnW;YxiKAs5x
z{r-QuQD4cJpPu<J%(Hq%Vv(68<FUx5Bo>+3F&;OeN?!YKMe-_@kyvC!pZvHPR1)(r
z`A`xwJMCo@F;87Ep^ljyqI5hi=1O9bl?2+qLB%rsMkhSc3G10X?ceOgU+RPtPI!_N
zE^)$orH%ZhPW)v~_;M#a#R(^!@Kh&!g%iHg370wHawlBjgs*bKl}<S2gsYtJ)lRtD
z318!cuXV!LIbl7MV|z|>;@{$g-|B>?JK-5l_<AS&HYZ%`gl9V8Iww5K3D0)IbDZ#8
zCwzkwu6M%oobcP7@QqG*z7u}Q3ID_izwCs68qSM(Bo|>mC`astCVaCeM@$fZOZfYN
zL3pv*)03n@_||Yn8H8{1Rv?aNxdm`Vc%!8oK7~hWk@rX5pTg%^pv8pmFu&ytXk-lj
z>lp{b112W;$MD}f;eT<$Uq+aA9Jxi9U+OCu^>PI&GVx7j-VSK)!HY28<a__M2>%eS
z2ybkRLs*3AW#1<17%oRV&q{v;SA;h*uC?|-ecQYn5Y9*3B_{qZZ*e5tVfI2|d{Evl
z?=Bn9kyC^x{HrV<kAxzx*Zg(_pn3LRgeUszZTxvA{$7vo;ZTC`ecop*-yP5uVLtjr
z8z1!dyS=YP?BC-ZvEiWn_j|`}dY&1J@MH34Y<$pu@AHcCm|L(WQslkgyWEB^hOWr_
zGw&@n%(g1Rd~|-q{zKlfi2aAXb{n2#>_6h&8wo$`JrD{1h54Nfn3`uIMVOEBefUiH
zue?u0!hhpEVZ%ZFKjwWAVUAs%`HC>wzKSr%FOQ2N%s-Dt!dtx|gyV>Ny@~&X_qv!4
zZ}Tb<W_n)9io8#Ib&>FPkME_gMcj)f{<Ge@5MB@ba}$2TTZ=Fy=)W&`TWvTPKRdlW
zHq4nt5$2cQvEiV7cX=<`Fw0QnVSdTM1!0+syg~2vHXPJ{w|A8da}BQu^UGP0_`Tup
zi3H`@=e^6u2jQ=H_ebpadz&KRuX>+}gb#RMvEd-UXS{Dm!UxUoF|fSB`1_W}_oyjB
zc@KHxM+M;^|L=HL*>F(5!`^Hg4%+8?-t9IVw8s&zJraH%F9GpWWb+wjM`K&3{XU$Z
zU*6l)X?`)zfbc7Ii80#?@YleC=-_+wFsMI5r;?w+1z(;^DEQo*A%5b<Z@$fMR}-*6
z{JAKjjr>-27-K#NHwg?98WYI;P`0S~nH-biBRcb2RHA38sJEY5Q_cLHU+Y%C$W4nd
z!^j8djFGR-iS4K6gyHw)#-=^p)MJ{>d`V7Krs-H7YS1FaBun|EDyqoFN<RBG8M0bh
zAs>G;Qh)Jn^Kw4(7A<+@<89F~d##Ip#Z4<Wm79X`_`q6B`Bk-Geo9TuBnpZN)ncN1
zl8ib$?Bi%dI!qgUF3kLfe<z()n@JG)=-IGGG#SIl*UhGC_$jkAj<z2BW@g4rKJtuw
z>Z(3cmPR>OeDrf<rXsWb23bg)&x)yL3uaL>v2EONZxbP9XUK=cqNA<W(MD}TB4%0C
zOqs><Eb2&81YZS{Uy2ouBV8U<7yHq#6iLMdU+GE&`GQYx@mY9xU#sEGYMs?mIyRsP
z3uS}mM9z1MdF`U`cjtLtr|>u5Lp`nmA;$ST#4skVraeyhZ-+lyVcy+RUl0FvO3(Qx
z^>R1je;f+P8{w#@5EokgWMJXv<;ed8{z0a|QBNIlq1E%Qz8DuAnOpm}KmjrKi0lBa
zg)62Z<Q;ItUGOinxD39@>oWilhG|0`aiP_lx?4_O<NWRT2jQI<?WrR!w0hnlQJ;n%
zhx6@(nr%cqb;N~Mf0Na7{>ZlWKZ}2mMmXA2M_g$2oJ;wi!#~KKaI~S0xX|hWJ!z9N
z;9_3fA)Mn7^DfZT-EzL!>Zv1^yi9#9=jGOhI%3Jo)bVjBAf~OrPaScg)ibWRFtaba
zV55gI^EGw1{b)EXHf6Bbl-XjYl{!*YJQ@yTy}@F}oA!a8=^nIt^6?&s_8*0R$YSm(
zd)i{=KMG;muv|A=z2OFyK3!(@#qf!xPg_I}4jv0)-)Z&K5sUpjR?qVAUdOj%Z?)A^
zM=WD<oz>Gm0p~xCe~=HtvCIjJrTsTsJ?m5o?EeG)LH-tw_S6v<T0IXl>VE=13Fm(S
z{~#<D_0$m;TK(s({ss64EdCz+GB_ElN35PYVi`Y`z%u5K0h6CPVi|`VOTu%~+E7O<
zJT<hj?J#6*s3Vqkn67NNZ#MIyj#zB+X_IA)Erh=KBK(8!SS6<I6pP#87r;q5nKx~y
zBbIV<Y)O4<foVe>vD9}Au<-DlOB?Elg@<EK>dU7@w4shz>M}vuth6@N5sM9Z`Oe#T
z_@gW)&sbtaQjb%N!PHayoq=Bnk2VzILaR4v@h?mZoHZ>CnU2n;HSLL;Uyc)Wk5>$Q
z1$>JCslZ2Zjh-RmLaXOJBkh@%D__Oqg5O9nbp&Q#Q~ZAke3%*=hKLKTp7)lL_DW(D
zz7oDE4{!yrDTBqPz83RX5_?k~To_kChwQy#VBUAp5#!GstAeYop6BNqEM5Sgjy6l-
z-)b?-z_6qR^or5o9Fvq{WKKMnctY^IC5FdhQy$=jh-W!yLu{_m!1I79(pCvz+E5a3
z(pE`e;Rp1JagjNX08)&GWEo8RgE$;xz-TUW4_}Ov+oix}i~+N4DE^+nH)9NXiWw(X
zPu^k}liOfixOl7?3_|vm!HM9yWAG$pQ)2rQcEy;0u+Po-2WB-{zT#4)2M+a^M1=Oh
z)SJG(JUD+F9$?y>Pacbn4F))?V{Cv!8;gw%8a1>54s9$(a<6!5(9W#CZx0Z2Zn2nc
zA$rzbFkpyHUvq#%%HfKE$yaGH`KDV;j+qvd+q4htX9J_@O<Lkoi<yo^At%!@y}uCu
ztVnrq+VYBdz|yA!rmZ=qfY}Zv?acsIB57H0h)D|^rUho&T-w1L%RHbU=2!qGkLhn<
za+q@kFosa>oL9jZVmN_APT-Ien4G4LHyLyDPwHsefgJ)dV*{ABrVoG<z^3jN8=eJF
zT8Z$a0;S;r4tanRh%!7D_aW?G9oTmh+i}&daI3;C3NKf9nZipIZcuok!t)ibS9rF<
zwF+~bN!e-?u2vXL6WU-%g*d5jslo|`IfjIv<3TXnO7Iwk;|jBn#D;Ax7%;?}fQzew
zzWAiYeeic!OpbrFnEU$wv&HO_e^vTHi`hS4Qu@6Xx59r)>GxaAe*2ozKV$K7_}^6e
zLl(0?zpM0|=dt|k+wUv=QHvYk|48Y7Y%%-%C8a-M@qG9{Q~F<6To3;hr9WfwZ1`rr
zhcd8z^59sWTIkIj-s%gip5ukjAZSB-GY<sj*cq$zyqBO&HT17ndj5V2^_9@SN$C?7
zmq9;S>G}I9v`<1mRq45}5%s0eU#0X_7AK&;M(JxT=6HOo(qC^e$L36>pKWn5^n6Cb
zyjb72TRaB(1xmlr;yCnth9dS$73OcIP*3?F9Ptw9Rs;K6sP()*hohc4;zFzcORHxY
z)&R>~uHWjZBbK?`R;%Z6K=Ez9`3m#c5IxH+m~|7(`U_?o37)8MLSgoY*s#w8vtI?X
z?*(&w2(D3hy27;z&sLaYTGGx}c%i}#3NKZ7nZnBzZc(^Z;dX_)74B1*eJ15uqwrdV
z*D1VS;SCCJRM_xb0|mtJ+v|wQ*J4wi|GmDL`G#C0iqT$z$0!_ExIp22g#p8~{lLZ5
z!S&^H7PC)wSxk<9vzWi}vfE<z)t8lipT+FA|4{m`TFgHDy3!xCnB(r-O8*^;Tj4*a
z^hYe_`2B&>zhLol_%AB`af_G1e_82ITFhhR=SqLt;s*G?R{Gyqyb!+6^BdZV?T~Nr
zeCW?tdj3`sZR(*Pt@Qk@BI;*D&u7}g!*wO%TIerP`iT}#hyGHf=kssc*Fewx4}^!m
zRYZ(G?@FcTZxvBr34KcGt1T{r{yL@SZxzu#3H=PEueG=o`dLcP-zuVg0{VGM&;9nO
zp9uZUO25eB3DDoF^yWGO`(o(Lbp)90%<BPpIL4cleT&6$=<ihec7?e|AJbAEh9l;0
z8Lb7D>(NK8o;qT=9{ruwvkdEi<$AQ$>Zv1^>(O?r=W#>vZNB*m7bwhfiw)~0xL9Gf
zk?7fuf)fgtD$G6;8}_SU_Pt;hOEAZfV2(4vwF=Kxm}6RO<}18V;Rc15D!feL<qEeb
z+^TT9!rcn@DZE<YH43j)c%8!Q72crmMuh>r;%kHRp}7aY&hv_(JD+-sjSU))@djft
zDK7XeYJKCa!F`yqK?9#BHZwf$Lc!N7{o8_kjeV`cGnGx9!m|`cM}?eo0z3vp#dFoV
z3NXhPrT7Mw79E=(sJ-HOs?2X!b-Yp8qw}RMat&g7!37GFR`kD(4ck|ESTDh>kKhRk
zPgFReaH+ych07GKRJdAUba|K;x--PJ3eQ#;%^KRE$wItP;Rc15D!feL<qEeb+^TT9
z!rcn@DZE<YH43j)c%8!Q72crmMuj&iyjkIXg$ESgs_-_2w=4XZ!aEe+sqij^2Nm9<
z@IHn2D||rVg9;x~_^`r96h5l(F@=vSd_v(<3ZGW^jKUtSF*1fZuMo_8Qo(VBIhPPU
z??VMoP?+-v(evI@aH+zaGl-t|n}RD9<~%|4yvGzgU181*L_b^MdWAV35F6f03T{xC
za{$pVQ+T<;yzYxltHQkQi@saoK805+yhh=*3a?Xmy}}z5-l*^<g*PkQuke7vTNU1>
z@OFhCQ+S8MI~Crg@Swtb6yB%seuXjg!nVp+xIp2!!ebOJR(OKK6BSM<T&i$V;WC9Q
z6|PpeM&aoS*D5?);d+JVE4)zQ28EX@yiDQc3b!cSs&Ko)-3s?9yjtNk3a?doox<xC
z-k|VCg*Pd@S>b+#2Nd3_@HU0FEBu(kI~3lj@GgZ172c!pK85!yd_duY3LjGVu);?a
zKC19Bg^w$ILg7;ipH}#c!k#)7@)a&nIIi#*g^LxQpzuV66AG6qoK(0>;Yx+86|PZu
zy27;z&sMlz;rR+LRJcLmr3x=oc)7wY3b!iUu5h=)eG0Euc#Xnq6<(+CdWAPAyiwsz
z3U5}pU*Q3Tw<^3%;q3}Prtl7hcPhL~;X#G>D7;VM{R(5~c|LC-AO&##1qPaXTJGCM
znE>aHHqc8DUliaZ@t6Qt5|0gV4KZ&_AhmElAJ{_b;e3)o7Q*=x4K(ZTKAyEvmc#jF
zM4s0Q=i^xzr5nz#Ffdq)!?P#KS~#DXL)OFjcm_n-2q)`-n~AHb4TNhYlsKGVQ%9>W
zReDm3&2-{C{DYXfSlocH=$9+puJCH&82&-l!3j3ywEBLf-=^>m;(Yvr48jTCukay-
zk1BkE*xn49^Nhs>90L{?E1XccjM&~x)hIk$VRQUi8*`jm+)5ieuFP>~u{pjhHph|0
z=6JE#92XXw@o%vi=N6msT!6|!4l*x`k0^Yc*pBDZ3g@HWL_bF1i3%qbu2#5KVScY5
zJWGk~@zSDjx58_P3xhIq-%r7t6dq7`yTUt(Ibb1s6h5HvVTF$o+hg{W!uYT%)SLbH
zt<40bFIAY|EC|nZh3ge=P<Xk*?Zoz6v0CAE3U4I7IH*^@!rK(yq41!>`-#T{X%8uU
zRN)f}pHa8~$CI3|iWN>MT&8f1!n29(`E8-X%M@-^xKH7=3Uf~?IX7-rc&oyXDZESJ
zeF}5$D8D#pha(CfSNOET`8e*yevHBsiTS`El2n-cb&9@L;rR+LRk%fA?lU22*C@Q6
zczlr8CWQwS=DwL?vy=Gsf&CtZ4=8+C;bX)+sY6aF%*7$m#}%HSaH+zT3UgmZNy|MI
zeY`J3X;65%!tDyLR(KsTUyOllRJdQ^Z3^!o<_j;7L524#d`RJ=3ZEdh*V!`)7vMZ9
zdcLPDIH7PEG2T<6)F?b#;e`q>BjyV=kXD8J6ke<F2I5Nt`^^e(RroQ5cM&H7`+W)@
zRQQO($B8Ee_NNuj$F)NAV-%i9ToTwP6|PpeR^j=?lLPyu3b!cSt?(L!*AtfpX*Vf6
zps?AO+uH0@`aQ&#1!)f`d|2UQ3ZGJ#FRS^N2WjI9Pf)m2;Yx+46Hf`!)+^kg@N$LQ
z6<$r84AQPs*zDD8_5Dh3_FT659n?<^(he%j{ftF_Na3RjpCGn#OYSc$xB%B`!F;b=
za6;iSg}L{y*vuv_3(B)l;bjW965F|JpTcVuHv90}IqhcZE#9i|W5jl@yGvoSN3PW$
zq@EL1$PtB)D|}kve9S>)o;*h3i3%qbt|qPu_-hrOukccZTNLhAc#XpA72c%qfWq4q
z-l^~&g%2pq{Yj;q#}q!LFem+D6IXbG!lepVDm-1`dW9PlUaoMv!mAZtr|?FF`xV}%
z@D7Cs72dD#A%%}Bd_v(f3KwABC+)y@$pt4AE>pNh;n@l=RCt-f+(S}0`xIWQ@CJo9
zE4)?V#}wYB@IHkPDttuY;|iZvI3IITDccx@ClcHD29w10p0QftT7~B;yj0;9g}W7A
zqp;Zv(eiIn`T>QvE4)+TJqmMAS}EsYg^wwGN@2eIE%tGRCn#L1F!!4h`{@eTE8L*)
za)sL!Uajytg*PhPukbd7cPKol@P364DSTAn6AGVEn0wSoz4#q~;Do|u3fCw+Tj7NY
zFH^Wx;XZ}eD!f7A%?fW-_%Vgeerk5i>{I%K3LjCJ``JppxWAa-e5}(59;5I?g_8<b
zD_l!#--((}jOWpmr3$ww+^z5$Vmzm&tXFuG!UGC#C$0(XcPhL`;R6aECdTt_$}xpc
zDeU3CO>E){PawwgaZ0Jel?qQ+xSkl#&?yZHFITu-;nfPSBj#cfWTV3U3U5<*hr)xz
zct%gzukay-k1BjZ;WNZ|rcWurnw(&MFCsXhaGAn2#CQjQGF#z=3NKT*mAKZJdwmM8
zRd|EKn~7%z_FENxOyOM$?^F07ab1x1h{DGeKCN&*?v=%U4DqZWE%#>?%)M0wb6-@!
zwF=KCo*krJs&I?K-3qT!cs=o)AT9Uh6g;5tc7?h3q}XuZNPljSmU})5KCJLDg-<EW
z7yA7hg0yjkCn#L1aHYc2iR**3^$IsAyj<aS;(3AnYK7M+yiwtPg|`vEJxIGl;X#G>
zD}0Ff#=!ol!Y33yqi_M%9{l-%J-<B?oKUz-;Tqxvf&Faan*zL$_~rmFBVHKbR^nR%
z+^6tbg*Pa?S>de;Kc?_5g)@6I^j36Tl}MzjYpzYDQq|W?1Fo#BRR6ENwmOlhnO1}U
zl;sz`XU_b&zK;b_D?WDR%!Kfs9_|%9td&)p_@r0oz0K?{H)&{S^a<#8!U^84@PNXb
z6kf0J8il(RZc%ut!t5f+t5#u_P4v7?6wIX#!I<ub7%+kv&MK()5aa+NxkfKIPvMxt
zunKM1W^6}EOMYV7i=I4!i9!rL#Z60l(UV7Tz!KO8+SmC1hFP=Tl1Mi9V2_i&uCDg-
zn{G&?Dyk|gDyJr@D{3mLc%$Sc;8?<?ed*5Lrp9@lE4#c~7td*&S-1G+`L{OAX`DZ=
zVa}qN^B2#kyl`gSycsEu97ulP{g3du>cH|~5zxazxQ9gmBL&uH-2dAAZ~Oe8jtvf@
ze4c_JJZ6aLkFl6%B+=7MFwbCuYZacaFwcZy!!xAdZiRV975#dJc?K5!fWq4q=9ye<
z_9*OC^xoIe*R%qDUr*q-3TkibOZPOjS2WCDjNNhC(w%*>Nl=A~x+m3Gb@u4g*`r6G
z#_l8cTz!_5*yf}Mdx(rsq}17?tIi%h0(DTN5hB@2c0;0J&68c98o}PR4zhK%X5%MU
zIcLej#)UV|xjkfVY3gh8DpvINdKEqC_NI!y^y<EB9U6(u)}^k&uugRioNmoTXYJTb
zG~3Z>;z%S4H>`7AgJIq48jP4h)-H~u4x2WjHBBbH;l^Y-+Km~WBHGy*`$%_Z)WbU5
zM78yFb(pU9Dw?}GI&kEA6|2pay@J~#*|C6;fa5q5=<ey_=_W_vV=B%V@TkcM&vIIL
zwWVAOmy6x4IokE*X!nsE?LM2M-BUT*9m~;<-|OVkE~Poz&CJn`-@D|JZ%2-H@5|Bd
zZ*sJIJV(2|Iofe=M3{~^P8mn}Ps?Yg-u9j-h~s~;`yoI9!soJk+4AY*LuRDpljGyZ
zuoF!EK^#~U;Mc<8HrB-P${okFg=G-FTHtJa=fh6(9ansOtj;*{l{<X%N8sc8F`6$Q
z(;O)uABzj$O%5MtG}+2G&*7V>_;^kcz7B`4Wdy!fhp$@k@sYOhZE*N_s>@cs_d9&^
z6(1jA3*V<4zBME8ZFTrs6yGGp_Z5eaGrVl&`?ABgM)6HneE;R}ah8~k?*)f%lj7r}
zXQ}Un&T%v_0^cauF^$M}#m7g=!Z+37+m5(w<>Na_ns1Ndo2vNU=J0XGn~m=+4&PzL
zcctRv9<BO#+cN?m--*)YJEi!_6<@EzcVGm*PKPg!K`h7HRf_L}4&UJs_#SllN)=y9
z@jdGB@j8~R{r=YBo38k-R(${L@SPfg?;jk#2E})c;`^rM!*C6R=S_By73qTm4qrR?
z_?}@c?D$B6c0B(bv3!-l6uv815<v5x)O6fS7q66r!o7`a!cgYA@N3H_QSXEuk6{rh
z>Mxw~jloG}Ka6VO-U=t>Gw-b-EW+cI@8yXIUknMP?u<JOKHAj+&wvv?JQ@kFS%6*%
zE+k`BLgAy2tU_5=42UI_negQJ7z50)p^D?J!^Plcl~DL#Hlhsw?Ew4YmrXJJw*h#C
z$Ve>Qi7C*<!kx<{JSk%g6!RuKVV>bK5;Hrc=`hbQ8Ht$|&|x0o8Hss3LNgNcc!Xsn
zW_I}2VUF;O#3H|5&hkcEF&60=#_JwnSam39V`eQ(^ULfZ(8VGnoA#X9WaR(<zfEBu
z651-o%&wBUemvqb62lS07H2DR6|o32Fg#9D;n#Z{5t;Z)uwt&mZ#2J_l!<?n+21h}
zzSR6WP$oRd`*0-vWbfmV@MYdVMZ#0Orz7F1W^c$0-<4(`n@qUe`$fe5Dldi#X5v%c
zm`M0)Z(<~TjmLMxMR?rv{csV6=Qv@0TQ9<RemgJ1F!#0>VR*F@{(uwy3n%=D6Mn)8
z?{>mpbHd+s!as7tzi`65E{L$ave!Lz3}5ENU+;vy;mc>xWLaVfwC=h}pp7o3WLrUD
zF40vD;mf9V7f1rzsAaaL5awdnEP^Ce(O|gJ5yV>4$eM;;$Z%ILy6;Ng*Vx?=?0Ign
z*=k%O+Pj)syw%rKP7^D^#!3PatKQbGd$FfGRz3J6&5~PaQd!*E)Y;P8+H_Z1?84o{
zt%2F*TO!TI<u;->-Ps~~*=0P8GP`)&5cf>Rp57{s`&+lCJ4K~7RkoWmtCYcJ@f>#H
zJLx=*`Avt2ysK{XY8*!N>XH%BGm({uo+rX=dUYv@*sIA>M6WI_5xtsZM)dXx6SI!!
z@s6KJM9)c`m56?{XdNEBD<u-KzgV=6Jr8y(5qnOoL_a+MY)W}|gVmOIE?7i)w}Nzj
zE&f3`#gca-IM<hV7D|cnE(fI&PB60(T(5A0!pjwIS9rC;>lEIoaKFOa6yBlmpu(KL
zN_h?t&%!^*K{$DD;t=s1YJ=Zjk#`x6AS~}G93^IjAjjb3or2@U_8ox}#P<3BDdPF~
z2RRKV&+X3;+voPYpv!Z6+R5Ya0%CiNj3Ktig=v3wAS3}N-%cfo?U=75w&T2pm}HPz
zIQdSfp4g7zg~WE;E+vlRA7nY4d~?%EY{z6bu^or2iCI9%S~&TZg<+`+=>(hd+jBxG
z^|p?t%odyRW3efxt-BdN7B6R7i`$89o0#%gyiVyi65Dfy89x?pQ+hLgY#R<zZ}EPG
z4-wn8J*w~tg-!n!Kmjq|w^?kyZ?ibTez)fq^L?AeoWF>EHnH@P!sh!nt2f`b*}gO1
zw^_WF_7<D(+iah1rru)ScM3M&x7l-%`M%9!^L?Ae=KD4~297YT#pe4qi%(N;#|Gyn
zg3b4BR&Ty<vtx$qcQSs=_ia{ROT9gJneW>yHs7~d+(H|B{xRRTS!}*<vv|F-G2gdY
z{eaS&@7t{2eBWmA9%W;`Z?k&yeVfI{l#Thm&FXQp5|+(;-)8mZ`!<Ws_iYxN@7pXk
zS5?d}%nLP%bH7t_UFEfS&xUgDcWRb$oS|&hW^^XKa_<VWeq)D((ehu>lP6NY8hUo@
z#68dD#oznXqzh91>7hZ-dpd9X?hOl)Z+ejZ{BvriPE1amF}kkA8!Sr<=6f5SNxd{w
z9-m(9|AevectNT>erW8zNkvbNF>mb{?sy&uU!_4oDih(EIA->AUVmM(sHUhqK8U;2
zS3o$wFDO7kN>d>P(;RsABQM^6!Q(IGKlR8fcRv?fFlztxdpX#W7wvlQuJne*`(p8n
zf7yTWJm3FWP>FiK|785q<iwhbmX;uoQQrO){WG2#y%#OBp{qRZ|Jam0Z!Q+1;{}iJ
zd*skZj@^Iy?xH6vZ57x)PfdDuEKB-atiPv!ak4I1a$QmJhPt4b$@$NgaNn;rC&3Xf
zVyO>}RW%)+zABo2`q|T)ikrG0iRV3g%RC>o_Gjch)pWt#(oyleDHAU#A3Y-;^b`8A
zX#a;$x09?}`RIbX_ca~5rRd3oR7ogNx8DtCJa6;~IugG-uOo&!-;p2Bn{obv^YWTv
z{;zcRhhx6k3#OYK{|^4WzA98~t8cFz;ZlP=Uz?j!nn=7HFyf1zJbaCZ{$x0uAI!1|
z#)9Fjfqyw%3EVs3cy1-W3yz}mBM*7WMIK%}DPlvPHuSH6qfHeYC7TV?(<Whk+Awb(
zD)duuJpU5Ugk!$M^6-=POW=6zp?*0WucO3iI0|iud5)(39yp4WhxPH3LA?^dd2pq0
zyr$CrN;qk&GGO6n*(l^8mUgr65&yyX+21TbeZHs7^5YQqc&%mmZ-JvoeP63R(~_UU
zwjw`$if|I2%SN{|9}JO)<B_6y<dq?oUtSp!oXhJsjg8@LGJlvWe7WQtT61q38n;xn
zH7@LFy9d9#bYuFy3<++{gWpH$O^+DA>MU{Qx0NFCjWZYDl!|5$CCFlsg=J-1d-|*_
z!wrOG(c+nzs@mMLz6ayBY?jw5Op9mH2d$flaN9Q%Gg1pjEuu}NU)IT<-d5{uB-X^d
z@iPKR(1xK!v=EI!Y&46rwecU~t&`xlA9(sYkH;CLI`G2(awzjzR4#V&a<p5XquuHp
z?KbCVw<AZpXLGdsRgQMt?=_e9tIg5w>o`B2jgN5@bH4>YW<taJSL`|gc$z(z9oLtc
zMvs@fEH^zFFTF4lO#N(JoA<-N5{{Q|#_>|~ki$0solF}5LyiwQd}Hu3M=9dT$4j^H
zecIvMi8z^J0ET=YclfHoSC4q|$ukO;?@JEfap+`<02uOp(cxPIzC(y7A7EI%=N!Hk
zgk?$qvyktQ!`Cq0^V$(lKK<Uwki*A&<ZOJua`*-n-z7F**7r@$xH^h-GDSdiSiT9c
z)BRh9LajqQ%ctKvneFh^Ae@cwZ4TdKiVu&R!}eR@@bNtqT@JzP9J`Gp*nQHm<2|=b
zJCJS2y~RmijX_$9c-D84wPXA3w|wx7@cuj--?yz@rM3Gm!X*~dL$e!q1bVdu?7fO`
zjbq2)N$8nI<Qg2v9M2*W_Y&-+jTpBS^^kGJX+Gmv5B?^vq(RVoH~6@wAR=+Ua`^Uu
zk9KUAB%JW^7zITr3vdD{PzvFrud?x$V}4J*GUz!iBp;{zc3A)@kV+i1MM46Vf?_hv
zkC`)3MjbO}5*_B5AS1v3=j(|~W<W7BvNEdS&)cK5{J-ycc4?;aradlm!W^*~iDAUC
zMR*%{8(b0kmt#eQnCB7^hRY=YpW*A^IL63Pgz+#NKCg?sT`j_uVUZ1Yn(*tqCit}H
ztyK}u%&Q~eOU!R(@OYYI;@{|f5`HH9CbJJeREDDnBmBDzK*(9-CCu-l5OeGoaXdJ)
z?8t8!hxah{Nnz$^i^CYsz{7x<b~|(J>~mZ5JEPGFtx?GY*1ba@OVm7=KWAqT=Ehml
zm^rgfljUY4Xe(J4Ml*$L#JGfb@;tBFVqP0>wwUe8zV#FM2jOU<J$1x|3H*apz)}BB
z_>~s(9L#?7(IpgyX+s@xq17+2dZy+0@=Nd!vILIy)Dah2Jz%)EPa$xzJsA=gau8UN
z`c6cczw1ijIhJ@TeAZ3!nr!vd5ldb?7PyDka`+tA#9RtlVey^tc`c`&#VfUVIegPr
zHZ9Ndv`N7?Z3R3NnBp@-2=5<gLm@7-dcIRd{c`y8EoOV%WHHNQ+RECH!Y{=?$UESe
zmOA1>t2gBtrOE@$JWcxmmjUz4UTiVvKg2A*X-{BF73TG3YXi?Cj^uTo$_qHm3pmWn
zVw0D(H+cbP%?o;p&WmCHGX4+F2i$*3aG}++@2Q^)pY7sbP76D3p{I^xxX|i(-V%Fr
zEZD+aZ}rp>OML;OWuO6sLo-qa=)*EhF($#W1ASNqt2bq^_N4Q58K9tUSQ(N5=XiMh
zZCMI&q17|&<M^U5y>E{ra}36e+T3UOEDR(8C(qkR;h%?p5Vn;(KjU#7c{XYDrJdx(
z<6rOug;^!h8%|rc=}KQuY|Gi8@N$LQiEa5;E4)tOjl{NI{R(eWc!$D+3h!6=kith5
zKB4d#h0U`=n=j98QicREjwy<Hc4%>p($7}d?2Tz{%(Fv_&AqI}eae0<vF$JO?9k%P
zO3(Wuu`$mMt&MqhXt8;AXz@X1e}ovv4#hk>wD`2r=cC`mW(+Y09mG64wAeg5w76Q?
z)Dm+-3o*|QEncehEyP^MhIA`zo*i1fd3I>WB=2K<iw6`o&ki|AA-p${>&PC3gSTYl
zY2LY?=cTT@rYd-#ckbtT1H2i=_~rGOcL;CCub$qF*L-l1Pb}ocl7a(=<1Hg-XeAt%
zzYi&Taxisd=*1`FJ6_5w_b>SAQ{R8~>#scS|8Qs!CGAXoXJ~3u@}0>oCC{9m^7+_a
z%rH~m8Y=ntVBJ8s{~T?e&Ktj_IQh;G9<D06aMIU@P7WNZTEVA`{<j%>W10Ug`sJhj
zZ_@wOnevPMZxEF{y6}p!sWbhro4}R{iL$jNO{4s;GME}1s-Jm>Uw-k5fkOX3sJSC=
z$@B60ruge?iWiKkyy4*)`Q@V*jOuAR-`~UNj=a@(FL~yInu{hqF*Ie|)g_O{;@3<W
zH@4)_y!d5P#$B*z`_MZUFTC@CJI-4$s(f_(>f7)3|B=a--p$a0QG0QG!H<=XZoAum
zf-$WoX8GKN|2YOz9~(k`7yEzDKs-iE|1-qNTV{;*KSlKJyu-Vbx6Ir$bjzlpj`L^4
z@4MUIO8x4)cXy5}KY#B9Y=cLrK?@9+v@`v`qo4XSJUOi!*yZ;#wB}^NPxpQQ(ASSW
zdHV69Cu_}vIi8=giFrP`yJXz6W1q__88~!B8J^evf+T2Mw5NZH_=9D^^VE_p6Rs%p
ze`<0(ZgPCuf0?0zR6MVwW1N2W`IkdO+42(|p5;FE$g>}LI`5g1aml(@?rzOXPQT#s
zni4z=j-Ad+?w{trcz=BI<wY08$6a1>LHz2H-Dl$YiRy<x_)_^rZDaixnQQCV`tvrd
zLqA>=&*yXMn(-T&%P;bOz_^-=H$0H^>+?30^2>voOUK8~E1BfgmH6ZPMjfe0_}`_`
z_$Tm~^1<=mq=Q41H;tK6{JIBm7AwEFs>$~cGXAB!nz2jrep6EZ{*_PsD1OnhJpXG{
zFZuH`$z92keR=4H{Zvey7%$qJ@0AP;_)jr>a?6BYy;}9T_v}3}l<lE1+Ptb{+*6aD
z&SQg44xf?kf2d|x&E%Tc)Nyl7C+a8QNJG0}kJ1;Fi~|W`ueglyzh?FYsWm@KOnx+c
z3Z07$3S@aqc`Q#rQBpE)8Xxb%Puj=4#1o6FO5PvOE4=!;>ViqX9;&QbTN3j)*oJWa
z<SCTbN?toTxgVtONHP!Qes=63yd&_`q$MB9KUB12M*iN5ywr)InI|y3?id{myH6Bd
zaz$A@R#oSv{)?mTk#E{}4)Pwn&`bSj2&am=M-B(i^4FYvaFjRc2Scf&Lv@e*yZ-{)
z<LSI5TYk0o^pJiy&+9t{B|t~SQfKfEMBO7l<Vz52$5)tc!!uJyZ#Z5PuZc}7!Z`7R
zhx~X^Kt1H=oM9b_l-OFagOj7d*1y8OD=<2BYN&3D7aU;mys4v;@zhVD$q$~@^C+6C
z-l1p*C+8}h(=3O}Ma*%vFYnopB;yx6{^I?w+&#^IE*~!|n1ePM?_cr8mr_3-D!-_1
z%O(CxtmLbCXIAj!mHOdO$s;v&TZ;T+R8NgBsd{zqcrO{Z=ka*zdnjpTaCEVp4_=Iy
zun#Oq`2R`!@BAmu01Ld5GS5HEa56sQ;sqD^-yu$YedxKox-FOCa4~1}B_H}#`RHJX
z4}0aJ-U}qsFI(R7n)`+G!%E8~-Z}bZ;jn&b$lfow%!c<Kc1j>wjOd@MUlxV^(iZm1
zqPe5I)C)uL_ttG$5uEYRD~n!z@b&B!GqN#${u8~jHq$F}$KY(|FBt6~QN03lbD@oo
z3c96Zl<k-Urejux9dpOX9fO)-pBr-?U?sDkFBas*$Hnt%CqHaX9P#n5pXj||^hMs7
zqRFM0GEKU~zVp$+H$MJfz`xfwS=O)(AsmjBg!v!bCKB2^igWr&o6gR#%@Q6}!BjK2
z4P>~O{~)4w`B@$xWb}FHVP@=Yrw)$Xe-HO9IO-pOQuONpRzOz*_X3p=+7n|m8+(2Z
z!Mk4C@KFmz%FFsQU;13~U^JH*DPofVrVahYaJ1=#V|KLZgX5u0{<UzUE&dREvH5f0
zH(32P_`IW{J?ljw53%t46R@QHXW$|@+V6)$Q4Br>pTe}n#c(VeZwV>X6Z6p@_568d
z3iTBBfe$kJm%-77OBoc}5c5(@eKi~<TUsvb7=B}s-6mmeN`FfmE{!oSS(TIWkd}3!
z@J^97_Kq<uGvm%>quYf2MIJ5(Q6w*BLmv7ZH?*mRqtK=nt{koet^<xjJ+buB{ZvAz
zC+4y#c{amQs3(^8f0RlH^%VMkGVqxf(_RBdVH~lHF)sB`s3#r`$Fki3N1>j=vXPTM
z<H-3(a1^oOIG_!EE@jf@7C5#WId6qyU5MM^IOLd?b(cD>1Ex?<Odi@l0!N{q_-%01
zAAzG#e*}(8ig|E9g`-eUq3<UH|9^6uNLkrFTs~u6-b*Efbs&~D`8!}~!vWx#a3yfx
zhojJ*SlZ+yl@RJFdOV+xF!SP=qGYovg`PG^8bHK`Sl$BTN{PG$CYZ;8U~&lNxm+-(
zRf6jkZcuo+!fYS0U#&35jOaHi+^_I9g?A`Cs4&l^!gEOBT;6E2A2mhZX0y8JTWeOC
z`7|qhpUuXE-)OlJ!N*#z)_k?)D$VCxu2R0^a`nBzCtR-De%X~x9elPG#>h8nna|RO
zMMc_0?4u1MTJxn_NFZOyMF>P0B@k_tKw1@*lrPglavL}N6SWHcZe14x+)FG~ftLU?
z?~d8jrewpkLD7b(Rksg|%XIv(DBJbJ^g-tjQwQBYOdSpY^LCtS7<|AN?4qR_gt}o2
zY$@CMnK<b<)&0XGomP@GZZnBK=)(++^sPf9YL`azE{&>lI2baSsM=!}wzie`HQFy0
zD|&)4Fl+H`4YTS?t7^Q8Kgf%LoZRqakA);7yvS<d$((W(TrPIAbF_PBj&}FvX!oHU
z?Y87-_m4T+eJw}37jm?FHAg#6taIs)svPZZ$kFbO9PRjCApXuduGZ&h_qRFP?a0yY
zK#q13Z~(w`#CkA}a?<i)@z#iY9ElyDC2@jtF1uGPUzOsETTG99bYn4dqA$m9EwJ2h
z0-DJf{W$F8SZ25svsL~!7bitn<}h*OpW^T>M_6u75gl@rIDCDn;6{;rJf|=(^6|TV
zT|U0!B{zkL4*8}ze6^@JpTUuj6I0=Phr@Ra4XN8&>UgWeR|X?a2Fb@8IpJI7@J&Pn
zZyH2|kI&)+Gp-eUrSQo&3662B?}r?|YDCaZgmx4@!xPN#2E{iSVaAbftHZYx5v9<J
z2*=+!e2*zU-e?Qozc_qr5Ft0V<P^RyID7{c-xS5i{?z^34+2j5MTGCDW5?fc%Vx*-
z9yQ-~*vZW>Ifd`EQ@+!xd{<gKw%;WfADVAJ2p%Po72)IiG=dp55qGn#NXY)>jUD62
zcdf(6-*3ACdJ*ABIehD`4Q@`!$7`wZEpYhwJ8p6VOitnB?+FT~{sj28!6zRMy^t^M
z@D=04AUCZr3ptiMe4DSs;uYGIe0;A(%E$LXb^Gym(X!Q-zh9`!w{2RczFZg(zD*7v
ze;+MdeLw8*6=M}a>WiX=eA^wq?ckFeQkaEh`lQ3R3w%;v6gA}A<M0g>WNuzH-@iG0
z`*CvN4Jq62t%~n?hmXHmmL!oCX|v}XzN6qPg$?;;z)Ac00PGKRm63zsE3%j#<0#`C
zJO19;OF@+RPd>_<tsQTgDc{81X-NRhfAY~yfgPGQlwZQGCJbfroo4wY>MFdmz#C=}
zDId>^_zR@~mE;XE>pKgMaXjAUI(+{|KDpQ-UifA@d`G}XJMzte6Fx3lps7Q-8H$@3
zX+`+xOB*w)auOUGU>>j>A7g-dGq3rUCq3`UEPOB<QDWhecwq8BZ~v|<B4z)>@8`uM
zG$S!{gy}Gkkc`C4GM*0CW&%L}yFVC@f{er>XArgzm)A2AGt09&{JKm4C}x%vGpbl*
z2F3W9nMh+_=Y)C0XC#Irmd76tBf7EP$st{09(R|+i7?Ff21OXYSpx7GUJkbg?hz0d
zVa9tGun6OOBmke`_c-B=PI#LW{-P89h7&&Ogn#9P$Fss#nE%yInD5GoFh1>s|JVuh
z{WuZY4>;kSPWY=%_y<n-C4_l>;{&TA%<x}v;xEL>GJ&{Xn)o+)Z&W8w=6{V7)_Wc@
zzRihW=Y;>p3I7Aa92=D;ze_#t?<zvR@7Z{cWWG<&eO+mvFyYDGFCBY+qmqfgEPU4*
z=4L!xZsU1xQ-nu*{O(4C`Q2i}yhaw`F;-(Fe1+Fx)4##QU+MiR!njm;e`3Pr9)IUq
zgnXZH!k<UD0Q$GV6=4R+`A0GE4JMrO_*>5+OwV}-ro`UA!WH3)^|BK`ij}oOd*1hC
z_^<Jj2xs`O^R991=O9dej{72SnzzV_U*UxBMVP9fectMQz=lgr`WfD%jI_e?cpXiv
z8=Jd2vHf~qBlr61Sdnh&YwvAD7#ptN*SK<3XLG1*?(1o6=~;1SV-L0?>*@&gom@=h
zK4X%aik@`yJ+gHe7yCNW9nIbMd66$Hw0&DAwtE)^7w}N5m2G!ocQmCBOAygYVIxXX
zL=<7#-gG)sRFzXpdS%n9_P*X>rD$X;VIi@%tt-<)lCZI(t#jnap3Xam)3vOKDzR?A
zsykxFmHZWLT@jsa53@ol?G)B2qLubA%FI_QEHSp2i<nYp6gD!mtSwoD^=w+z*V@t5
zk{(v5#^$ER=GLaREN#<uZ)an3x+mJPVIEk4PIr5~_rdFET-A-$`E+A*_bL|X?no|N
zt?o|a_cRQbEo!*R9w}*i7e4s!?CQg!uZ+Iod*kU8!#2y)k@xoCXGVlaR^7D$OSa;^
zzI1P6(>+aX?P6-5#MqM32&?ca6fC{V8hK{DU8qe=b5CEeH(+qgENE(P?`j@-gTY~G
zO}|PWW&wSeN#p<tGwp8b=}mjG^v;7<aAfRs-xUlUiHu}{$Ot*YhPDwqyGTozQGTvX
z2BpkwJvL-?K_90up4)u8n3N#qjVoj#oR9l=3a_a?Z;&B8@A*8bLU`}v^F{;0^Rn<T
zEZ-M!jw0U;{k6qBjeg2vuKE4F#pKv0diY~-{bpL``F4wWzF%uGe|La$CEBozU$K~F
zf7;>%Fy{%hxd`qz7PH<-IQbpPhk$8A9dV(Z&VRz{S;jIr`F+VRSUq*bg}7Iz@LEG2
z)~gcO=Z!YxARP775f@rLn^J5JTN~<##ioWf)A0{-6plR95f@rLJ>TA9{KVQ&M_g$2
zwZOieg#H?sJk${vTK#NbpBHe*g|@AzBQCW1dW8L2{DVxiHq;Rp)>4acW%Yc?Xg<RJ
zOr!SRYW36+7h3%stLF<!3oPbKO#Dp?mh)ZkxvnpGAvx;;&K|3$j=0e38<Y*_noLU_
zvDhr7%`E(ba6Hk5I^sgBUxu*kb-2yiP)A(I#(^w{lRXf*zE2+Nhzogh4{3puy%G71
zK5eKYE}TmX&)aMDY=>5aW&gx)Sv_^cg`8AD+Tp@|6|D_*$7sV&fpo*kev2op4RyqY
z|6h0KA7jT=-SIcOCbIK3!Co)HEl#>}mgKoCVb@vgg}8J{gJlN??8Jot33g&DwVNe{
z)F2mG;6|$`id^KTuH;r*Feo4k1r!B~KWL;H8mW%tNGL?Dqb8LBOT<z@t{OE~l`8#y
z&YUyvyxF(j$B#&;N4oER=R0T4y>oxfy)*aS%gX}EUb$F@k@x?^4G!GA8I5w@Y^=|C
ziO!?5PdvE!K~u4xXa~p--dQ4x<RT8d`;2#);E2OwbUZAYA#~ut5r+YE{JtoT=)i&F
zewU(ii+&`SLkAArbbd%U?uGnD2M!$fLK^X(zR$~l*zv6VZ#rJAw6V5}o0C|ZApD&0
zf68$!I&UI9g-?kio56%bk_8r3t!4R1=i$IjA1Lm2o_zV7;{)<7-AHT+akX$AH=TdL
zc_!RFl<*<PugL$qge{%7ijaIo4x4b`rt@ESo@>A3n0s6*SKO)}$v??)EgZP%{L{{p
zete%q=X>~a#cleL{Hq*19JuNH3(g;tze29qrXR`A<j{u$H=SQ895!Ed9XN2<WUS8r
zE-8;l@sZNMLLNK<ZaUBP@T)l?DgL<hFO|ppYy{kNp5x+U{4y4i4ucE{xamB{#V7c6
z9WvH&(|L}IJNb2;C2ibv9;P6&lI3zkWSoRN09)LJqn>g)u$85^ijXKNtLHe65cZhg
zFMrChJbMockM75v$Ht#JJ|h29jtS=riT_K-#B0VedHuJJ35#wA_R)QB!j|uMi;&zb
zhYlRL>HHSw37>n8`p#+e;lNSfhlNAubHeDrfkS6RxY(&5$-{E!z=502KjQq9d?eEL
z&B8;M8)fUjfY<Ag_AM~!7=4VZoQDHPAA|7FCv94eNgKP?^G=6VxYwaW;F2jhFuG<(
z_<h2b@An8utS*R$12>(wazdjenUKQ{95~X4yo@y5;5u;N(79-N>k|KuVh1CVJ#yd~
z`Q$5@d$F=4d`9?7&J+JHJ3b@-q+`N=(eY2@Z*oktMlglnueHx2;J}d%G(&`I;iK>Q
zzTJ7sFgVJ?pE&<j`BrXS-^!Tmz*!k{{tK>8(_!V-<MW{NaNvl~uyCaLVPWD12aYr+
zucNQ~4PkWPz|q%jp|e{*lJCl)0|#z8KPp_136dYkp#ukQIzJ{H@p;yD;J^`|)6SER
zNJkx6R&s0P4GC9u#4-8ZQAfnX&8Z{et2!dQU>zAO!<~{hB#g}w$5kDf79qJt4xPo0
zo6ZmDIPRT#fesuv?p;Y%>1=QvIB@8g9j^<75$R+1K3^T7v6omK5q?0JXt6gu*L~6P
zkL4e9jP2RPKkb<C|HJW5<!^GlRlda^!xF0_vJYo<#QEEFOt>5l$#v8b@o;nMi1?%8
za~;{MW9-0zqfYI2zN#Z0?u_%)5pd+ouyEwdBf{8(14o*V2uB@xR2UsNa7P`vPlV(<
za_F=iH=Q5Vaq(yRk^Hk9I&k2o^JBshpC7pn95~|hyz}HE5@YQ}!b2pWOL2b*RMZ+n
zZ)xME^DsqU$y-_KFR|q##w3>J-p?7<ad8Q3d2faHRV>aJkW9)IOAI!qzyl@T2-Y(Z
z*&-L~T;C4X^8(o+R}i>lw_KsRiF{hF;3g#d<O-!5azL)|`+W%P_b6E17s1Cp+P(Pw
zjwIgV?>ucv=v$nf-<J3t2~Q_%aq~2sfp>f;Vd_-jX?rZ;;|ZTg_*BBD6F!^p`Gj9f
zm@!6#HI(ph!lMaKCVW%Ee7^}hw$_2ie|O^dg1wv^NSHBo@JAAUG~vg=Ual^>)`6F|
zGw3^hIbp`6#bPCZWRdbMFmojW+gb-+K5eZ7#}nv8xdmTZ+S#12t##o1F8F4t^XY_b
ztpn$6tphLrhtY9-G~vg<UN3B|1IJG#{)Y*_knl?hzmjl6<t}X6I_YlH)=774>!drj
zb<!^{?}dHDqHb<Xcw53d5}r<&c{FkD4A|>6--iOvCVULMv<&xn!Y2~u+feA7PWWuX
z=M#P{VcSp5?KA!hJHrW&COnz&O<-?-m}?mLj)Zq7yf@(k2_H=O2-w@PM-zTL;U~e~
zzMV|?xrEOo{Bpt<5?-Xb7<QH>yfWcd!V?KkCA>M|+ri%6?n;<>WWnzTdprD4!iN(+
z3iiIrV+k{VEcmAq{$au|B>YmsuO!Tb(y%j-@QQ>-5*|x<eZm_P-j?u=gr^hUm+(x&
zykyt6iJkZQawX#vlWWJv$0y$X9<5t4Hl}4ss^7J1Cx(aDOs-oyY_jlLCHC!AWq!h{
zQA@KIh8knSBXT_NvgkkATK4~3F*@|~zJVXGCBXB`VqyEoelq@FudnR8@#wYXG88ZN
z9sJtrfq@%WuRJ&UpvqOb0l`h>VgUA!^7wE5OGUN#fdW$)bM_(dX0M8h{oma7BY2?I
zH-6#u%`@d10OPM}#evO-i&tMip$>F=MTU0z?X-^^Wm@)z8*k{}f+K~MKqlVUl)a`_
znFBZIj2dVAE36(+HZq_$K|=t4j~v2-3rwTAO763Ah(FL8gi**QK9!JbBmB@Ie01=y
za~(z~Na%p$uW95={535wHUp0&+{@p*KD^}vA7UxIKfl*D^s4?z)X8tZ@3Yg>?UlaM
zN&6Dk@$aH)2m7Q|`<F}S88_bk+e$iJn*Xi(Z_4#bVM>LX3zM=Q`+>YDSzCmA(R*eA
zJ!~L*<iKh=OzPo=9>Wq!&O&;BA)R{sq68B_+{fO8;g8GsS@}FN=+dD_>H8bGZ0|80
zM`;(V?0qR=_#^7WjmXCy-MO&$gmAX^l#Zij2v+vKl`#C1GBP6{dvxo<-brEXQ45hp
zI$-P&f*$fCIrPRjkWA@-+8x3<+zWEvrL|Lci<~r6{-A^WLM|}Jf3Jg_E^+Rh&P5#1
zn^M1ZL_YUH>k#+BH@>(=u<?WrP6J%x+<)sh+uJ33=wXkREbP%`in1cucvuNU+Jpqe
zkF?`lOE*v2Tp>&gh&|#-9%g&HRbF_X5EAy{xSKzB&r__nrN8=%Z^>z8o%TtgH-65g
zcfLK;xoiHC5^Z75Blk_d^J;%kB`0fuuapbn_*yyAlqbiaQkAC?JWq*1?msn?HaEd$
zxO}{v9nqfc(y3LpwTZI^*4m30FA`>8!3w`km@z4`Rt}8r7RNjZw>hT$+39$<eA<WT
z%a1w_2X1mx652CtVh1Ypsq^q~;LzXTyoD(o{ryikPr8AdJ|+;X#x%4GeDg%WO&|Bn
zckkp4-xZOT92ni-ar|!i+;hZ%_5vL^aKypV!Q=BT*MS3vj$rkz#%y{#EloTQS;uU8
zzEHkmzQ#zxV+qsdh0ex=Nym7PvLoT?g!h3x4l@ZKN_ZAb;z*9k1wNkeiG)ujOuv!o
zH?d0KLjCT^i8bndBMbMtSCG+)`-D7laZ+!TCkNHDoxFa@_zCT*JYM#SNkh^!3;l5R
z0UN#PSKJ3|<~O|$*x7Ozkow#aU+r79<TFp-_59XT%Qsxscyi?6-6#8=J=*xU+2!vk
zHZ3bxaeAh2ve>w6_U?fzTPtr})n|Ku9sJtCPibE)Td_|2m3>D0m2EwF*WmYKXDk~7
zoGTcDJk$5{{@FFN%Uib&T)A%WvN9^??s!m9*#E!U>FhF=y33=CZr9$Juif1HwYJNc
zB0jio@Xfw**yeMCzufg}I<H?p-}MJqwbrx-%e}kW>3jap{^ytd!J-%YZh6x{U)~gM
zp}oe^%4lJ&^p!rp5u35snBx6JYt?1vtNOIFTu;jCRt>+Q!>u8|Pj3&bL4=}VLxP{r
zkBS&R*Ay*&%MaqTjsEVXvPqce;9o6=&N?_b!kv`6MvjL0lX7$&!1u}_Id0e?ZrH*O
zjRO)o_~_vOz8pGh<dAMUbQ{p2(}bV{=KhESj<E1~$Z`(6S+39VhvY|`dB7nN7I7_F
zWt`tG%r&dw<j{#YVsliE=N|Y5IpmGBLp+GjJLMuibY|d)0}rW)&mRgS-Qx4>*uf_0
zgIpp<*x?h02rqo{1$}%zI-<Wpj%Nw_Tjh{nRiA4kKI9$tqb`KaUsfmXC;V>rh0S=S
zz`evPg}}YMI@rGbb~gEL&)ThC9{3p>^-pW&@cnm9UuU{=nR0+1O6(edV*6D?EYpA2
zu3g)GgY`dpf9L6ooQjPEm@mEOo;^D?v%2$Ib`zNQB-3o?J=w*yZ{`&@L)2^byJ&Q?
zGk4pxx}CWiM7Ek6UfpY2_QlpnnVV<r*Dg8N+H5=DYFwFfZL*zrZEl|2>r|-aU+2j#
z$&;6H>5|6v({plh!2mp$I`!%~Q0|~tZOhgrp1wC*rBb)hZR@t~x%gZ4{)@2=%{R>p
zGEsWfZ!}+<#Pp)aBdiy_`+C$n(4*d0der+~k9z;!quzxc_1>aH=_Os5d)<p(uWPBq
z;*$&I@7H?__YsY`E*3w|A^+m`q;66#SE0xM0eCbnr1z}b%l8poMFNO&`iq+0MxBeU
zVAeY)y|@PcxcY*p<kL-~%f>mn3HBXZeuR5mIJ%93l@0b-%k~cFWx|NgN4GERtx%sp
zs+B#$j4q~NWn;PYvb{%Tk9)x$;fK9<*6d+Cx{*?=Z1Al;+k08|j_Ex1e%JN5-}l$-
zG2bA%lR915SYNYuSVp$#JoZ+)9`@>cu`vgso4q@0_FhW%u1fa4Sc~6tvKQS;sa5g&
ze9hkax3%Lpob0h@n@m*s!F!}`_Wq$}?@+S0D%tyf&E7U0Q@%qY51y>qJ1cvn7wI=5
z7x{apX73IiM>iFlVUNAx0>ht|y&3t~yGAbTEw0ty$LF!vFTHGUuQE04wUWJSYxWk^
zt_vGC*Yt=-oRhf<-&fOP{zSL*+f%##g5nqHH=5%2S8h+YX~KKFs~zJ-9FDji!xm(n
zj#rh?ekmikuZqv#2|lLd$(kOA{O1<^kiXXPmN<|f=e{jI;=t)edO5jIKKVAzu^jiM
zS6bCII&Az{$ISf*348xov$tRN(8J#Ka$%3xmg(}wExM_v6A||CBkcqmr`724&6^>3
zywhGPyhJWt-q@}A1)IW%&Lya$?y~UO0atWfICt#}TC%qETT7IWX-V4B-xzKm2=#a5
zIL9Nk^VFoau$NqxejAXtnYn9SP%_)nZ*Tweac3(1|J$pN7XoeR@Azs$dQ&RfGIwnW
z-mJH!zxt|Ia{X3g^7-qlaz|f*z4`c7#`FE7c04raI}NW?LMYeNn-Gqt<fuc~7}N_L
z`o*+QTsNpE^KE{NKd2|`9rDqqz6`27-rsS2m9?pyzroHA+nnF_@v6q-;t|3aRC#<#
zKJCE=?D!g6Ot*d9YW$CQ1RH~jRjij*9>1e8=0&Wur}8*w44DRw9e-=Lq2ruQ1FHe0
z0UJeDL&xspMcB?kV(8U|RMmchdDM<>eGE9y_3hmRYlhn=<{jr@vVK*y(O}nMou_$x
z=OPaRt0}C$Pfa-H+t-I3lQ-l?!MiXCtqlDTIB?T>Ua!IPnsdxC&mQu>@Pf-RI&k2o
z^S3z9wUp!H9r}@cL=Js8aMO9gM$zI|oLqb_19$A7#)T64e9ZAfsKsES4HaQs?K~Vf
z!lG{SpRLXE?OI`4dR*`;9Iul9dyd!2M+y~V#L`XI25ve}|2phUIp($NjfuB-@-9=d
zK@NR5aMO9Se@XeO)#5Bn^70Ly|CWK(?K12^HwwR&Cr|wU4BTN;&tCM+rf_A`vDtJT
zsdd^Ek7S!%KcvD#88Mr}lpTwwWBUf`IyzO^92VwUWLPfZX*QQ6o5Gb%$7a)YxIXS3
zJ451;VY#r$@zAC1zITB^iRCW^&2iKD)jDP$zYX#&zsAw<x*#5odu}@aUg6N^mLfjy
za~=+y<I@p`0iBc(pN=?)uj1f?H^SvVd{rErw>Y@|oH&T@76<;nrQ&2#sBR*5t#`1f
zas>fNs24H6dl>8&w!mICh+E9RrcJ2kS%W>DH-Z(Pkiwr6P=PHh=SSc@Zf4){`ox<}
z=NTJ@{*HvF!G2%+5}rx;5ZLc`HsNCl9|wEgKaudMgij}YHsSLLzm~Ag-*=nLSqS^X
zU{7b8zwdZ5@iu?od7HoQ*yis$w)y*>M|-)}@qvVG{=V~!okPdw?>lev_ZKVT5}Uv8
z_$2y{87Bumld#R-cbyCHUQg}4hhv++?|7y1Gjx9K`TMH-$VKPxd-*&}xQ>s4y{y{&
zeaAL`-?7c#cii**{maYvFpw!6GyV*0^Y^_AYxDOVkD=q(=I=YU`TI*to7>QFyd&ZN
E0}8!MWdHyG

literal 23444
zcmds94Rlr2nZ5Tt2!Z!dlBS4C^}Pq`1Cx*d#z>)tfDtt)fByf3mp>8-Nl1bOr3xJi
zROk#kEVWZ+MAVL*(kja8*e+KKwBrgbwpMLdaI{5awPMkxXj`y2Z}vX-`|dmM1|*%C
zu9-C-oOkxwXW#Gq+;i_e_uP9EpPK5ZYx>-<39)P|oqTCoNlDqnOUh!g5|d^B#$uDp
z%VmRw!yLyM<v5|j|5}*7-f>PJIy+lxTAFK99V=>@TbsL_C8_S3y0+G?hSsi{mWEb`
z`K=AhP2AbgRnu7S!ww5CSKPF$tG;cyw_RgLLxWMnVQWKOm%*vJx`uWSb~L0sZ_7KH
zyF6uMM{3a$DSJ^@6N+Bc*43QqYHssfE<zRVYUpTgTv5}}(7CL|b5z&W?N^eR74=kJ
z@t|7TQuRS@S!Y8{T|-A#b7ON|N-Dt3$+vej-vw@Q!wTO;T~kBdV$G<rbNq%bY3OQd
ztFNg;%fw$>?VUAC8kV%7e^~|J8LQaVZrbH6scoq5YU!*&Ul+Gwz}RD?w4?+B#Q!ZT
zn~YRhX_+@_77n}bis~xYbum;tbDcY!Ov-VNeF}WoaVDGWq*LZh66MLG{M~)~^Li6|
z<2|9oW98$ELaDI(VS1P26b*MjV4T?29xGbq{@&on=fnzExxX`bYcKJ8#2X6TBc68D
z_(Jzx!raoHcyC_*?h(WLoM>oxUuQ!H_K;K8(u}=rdIh8G*3#RD8Qj^>(pZyfX=$sQ
za#C*MNpzFIX;0R5b=1^%)GoqEXsDlZ>jm{z9!E3=WMlK9n)-&u6vj|zK+%0k$z|Aw
zT{Z2gj?RWDx6YVuZ63_L?#63BA$QI-R;HF*g9F42JSn%cv#zGI4FNUdL6~U=8H|)=
z?I%$hp52w%*c*4+g*;fT-ZM$R<K#H?v>d-4k|Q;{22H8f`p%}*Vsu4ON%sZaXj07Q
zV%J@hm26Bkw=~qB!hu%^k9!Z91HYy|)s?c+JntDBg5NU`&Os<fs6?RMfY4!3=4UhD
z4uqc~96^ZUAUF@94B;w0AaarMf6PYzH|mqWd)Lt4?|p0k&kpZCzGIxb@0Iw@wA;g@
zE$LQ$%W+1B+<#;0rO>`@@u$=7513fH+DSaQ%iT?!XmM`X<HWz7cE87D75XQ!t=oNp
ziE)MRg>Lx5dGW{7?su3@M&0Kb7e(EFWxTe{NtTvwNza-dZCsIZpCfmBs5><><i;OK
z&$%S#K20iTw!?GBv>~$xyW2@D32i(W-;|z~<9^-b&p>|Zm(#OKi-tF++$YI3rLaNH
z>>T%Trjm1~uS?Hemu^b+T^@5EB~|VwXOt)Qb(UA|n^ayqa{jR7=wp@T6J7|<x;zng
z-G`}}9oqOx{O<I$LGETIb1uSWc{qtZ$W+nr=oojCadq96=VsLuo#Fm1Q`15tUvc8C
zX?KI!23KFFylv#;k?7!LymG>jC4=3yo^0c`cthG<!^GOCGb=vrjF*dI?rQPzU~ar7
z?cU2&GVXq!aSqPGDE%JdDhz0pxWeS;x!sJBx7?&l-MdUY-Cf2wer?+ABB;u7;?-%l
z!;n{}-K7NB8SRXdg>IXPqi(D4OBk=sb;_fOZKKAI*)Yj%CNnK`L+zi7qH8aN>nUls
zfm}57Vgf^^v^+g-bi6EmEP9za_ZKHpu6u`ZcZPdAW1RcP7mtg(w;J+H_ZG(2OmJ^z
zyx~`9!;MC^wRil4ai#9{CV^|jgjI>uAa|ZgqB0Z4&2{H6QSL@7JHny4IqBH)5hH)|
z`rJ@Dde++Jbnfqa-s=6?JG+nV$lqNtyzh1#zb$eM<N7qTbYErs&*>`H`NgYF{G+t{
z5q+&Z3L+W0EEEmpmU`D22L?SaVINa+I{qF#Pk7r6E!`X6m?#hJdpmwSz4C;6oIY{}
zBQr5(T{PPG>@d@_-sLg3v?$sW_sac}_z51{sLS5?&{7<Zd*XjeyMOYkos;Xhe;`a0
zhCE+5)Xb$8d-o_a*dq1)_w@a6I=xlO;5qX9z(0{Rl38Z@Yj1pi-eH~}`utL>Ft&R_
zuWTFj`WpwIzHcoC*SqNhGe%rgkQYCkE-6{)zHe%GunH$&?APBig|XA|aiZ{&A+>|!
zZ>85_1RY4bzxJxWuJPHy@n0J9&9wVgrrN!E@3^u%wC-;WyzZ>`(9%6A))e(TQXBtW
zdJj%zW=c}^X;k4z`oO*s7mYpx^<R0!n~GGOY3gjIA}@t**!FQWlt`e~Iq`$(7tuS2
z+~0ULOe9e898}!!zf8La$#ZA+=Jmv-=EqoH^f`Wg%in!qZ)*SCp-T@>KVJG~_@zM`
zCngdO>i37V`$zg%c{C>qb?MP`Ut+|i`6J`+r@cwj%7ZUr3?1Ay>fM7!pT4i?jA_GX
zN4@@iDD-je(w<cB+;^rQ!w`;Ps^o-1aDuY)8C#aW`{lil?SJ6#>Y+Q1FMTugQuw_=
zBlCwG-8L%m<jw=FvEOWSmxRiPf8pu-KI%L&BUAPVYtc8QN7AcUr{U-`Z=$yH?X^Rl
zq9L<$rbV0G6?tEZd;QbocIT~+KlI9pX!z3noICd|e1F%p(8iyXOeif$?0RV8@hUX)
zgWMfO;hx8OA9!c=v8DODOIT^1H(}HNBb|8l*hQ0b<0sNQE{FH6Jj!e$=gJu~ro@tU
z9c`VRU2SbGMb};#D=nT_Qd}}FHo3UGc%sAJiy^S{Z^HdZXR79^*2XsH`uSJXOs|}O
zUG?<~uBfTLYQYurrdQ9ORx)gQ<yF&4W$vIy-dGuF^hF!wMSiTjRM;tze2ohvt@%2E
zpno@sD=gwV1n!*s5NN6)riR9HsnPOP!}?Lf_<YgKAO}p%OaPY6ZEqt9BTsxT;snBS
zU}ll;1}GH%36e1K#JB(&{f~j^kNiu(=L!E?i+>NeQTX`~BWd&tfY~Q3w+WbaCSC`O
z|3>pAfU&}VlO&8~5nqTnf$%D@`g{#IBK)r`{s8b~@Q9oOTs>*@LwpJ11j1DoPkc5w
z>T7}3e;qJqk>r<Jdg6`3e{Au@I7o~>Dm#qj(l}n+q!$kdrcahhqlP#Sfpr^?KqF5~
zJ^4!!XzG(i&?jTwtkLIL2(-UMbE>+r?JSr3pT6mH9D?rmD}iZR7RMXw!&v*XlmZwv
z#B2|J-ikoeZF$^qTgDupEbkg}2-H*~Xg}NxOe0UsSw4MsBB;I#m~|lkWds`a#5nmI
zej8#Md1BU^`tKsp$kXh)jX^quFdsq7S^&&`=eCP2z6Ds1wRIN19$58{TKraEt;6%c
zG_3=V9XIJ6L)5Sig$TNjrU*y<R0Q=OtS9qX&)X1mKi&;Y)3WHFWiht*Be!D+`qZ-6
zb{hQ<>#?>Km_~jp0_#pc+YofjKL<?HIxuD(80RB!8}4TsIbx1``e8e0<kh$>jT&yt
zm}WG^ohz1frD~nx&aMtGZc@~O^`wqeOEK32%x!gjgIV1w)(qZQ+sj^A8C>tmBDh$C
z1+IP^SHSv_Tnfu3bxkabHETv$jINSpk+NKt#hG=pEXG?v%c4GMB`r(Xe@U&ltD(Eg
zDdugtQ(W8G=@fS~w4@B%zelMp?$@0iZQPoBrnI=!-kwU+zZsXZ$YFZ8KWqB9KW%zB
zK>Pii&3iqa&G~(uO>1vwvtEB^bJFA4<R|vI-%%&&@Vd4oT=jH{yUj$WxS10juh-GL
z7_^y0dq-QlcMuHdmuD`X;c`UHE2?dJM3EneZuS6mcMMR+b)12et7qQRwPVWw{XIKC
z-46$-+dn|vdjr&^2dK+O=MAL)K083&EvM13EZRcR$;3(4m%Tjxs;&`$XY14H+Qpx}
zfA7n<^UwT?q0=$T?1~E<=LBMoUtVFD$C=RDfWMuRhsc=v*dn@#!t;v#8D46{kZs!X
zOu%0+G&(z^RQ-JeI>qFtV#?ctyAsxKr07_`9|ZgzLc=cwuckh}7w|U-)2}rU(I2nu
z)Y0GmfWOg0GP6iz`*nIP;BP(rjYU5F>D8G2`U3tYpTZyS8nmw1%-L@F8;!KqZwUGe
zQvW<u4S!d112Of%`(4G%dKvyUA!hwJLr{O`2mEb@Kb?(2=KDA&;BO&z^daQaUrcmt
z@1%ggKKT1Ccr~q4alqfqN!Y(=82u#>w0>6y{B6fUz_F#K{;ml4i(<O<g7_N?vHDvW
z@K-<7aqd=UqGR&bfWMxyOnWgDeScj6e+S@CXK(bQ^=k|G+m1n6DD~syOzX$HKG6RD
z-Hb7>GdkPfnt;FFa&KnN{^MPR`g=OyZzud|oos(U79D5zwCABqc+mW^P7J)u#4h#i
zb?8vEZ`9C!E&jX|&M6U`>okE_b#Fmu*C+R~%s8C@ownnHfWHp-ThBE_G4=O;z~3YA
zM;-eGhk)-d4_MEobn(#$od2+`n)+jG(M}T%#)a_5**s2}#ve9yu-miz^~ABFU=^VL
zAUman&6zio9X4wOcAEEU84H^;p`GTLEMsB+9>L?nW}U^(w?`K1AIoF{g|kKg(_;hq
zJQ6Y%b~utV7WVJmJuYnS(d_)}UI}OQG|RI(5SxXwMher`05JJD`CAsw8mZLt3YxL7
z*=u$hgW0mMSx?CjVRMDB)59|fps>0B%ur#o{$Zy%QZg1c_j`7_D3bsRo2PXdD(vux
z$XFO7+U`Mm=iR3o(-&z1G1F56>3M<loq_Z{lIC%kkMX!6kiRvMw$IHhZ*L&~b)@Nw
zA<sFQeit!U?cTvbmXGm#6lpbXe_RuYnYJ6u^kAz4m_9d<zBG`o4y03o^s+#DV<7#t
zKzdgo{qsQjcY(BPolIEYvjXXh0_pNVdQKqS7)aj}NN+@%*X4^5@-fqS7-{zXr%d`B
z=kcucXouGe>OX7p&vRZtT8;JnInq4K%s|L@V$Ls-E&;yZq!Z4&0X+t>$zN~s$2t+D
z3xFF<`a*w25=pavFF-#1f7RqCoe4;*vHa;s^C;#VFdyfal;nHkvk=ck<s}gR{Q`5_
zs%-n>nyfT#7I7cABAfKzddQOU_FCR|=*Jr(c=N7h`eiI@t@Eqrm(hWj0@{}Nd@Ghn
zIvZN+vxts{y1P#KMiJhyY3*us?l!M^I9XNm3*qY<zDKJe`r<~vyqb>IMg7V8+H8{R
zIknAgzR>S;^TLNuYk@U&shYZ`RC8<poYb<erX_9l4So)GlyPF-57M6W9qEf7zMMJc
zMGl|w>*BqRC8Gjvv(oJDEJBOGTP<0<-<4Uc?%FJpE({@+8t}VbS<P%|!`oA>cxkKA
zdvnSkV!GsFtNph~%v(RfSHo<jS%YE4yoDD#%VU`LN$W4n@4xb54pEmAA{ehy1#;da
zjtI|VR5iRuqlO%@YItnBGOd^)8gj%D;dy>?<-&HIXvh&qgy*@!P2vZ}`x%x+jyNJb
z&qMAw{J`oEs3Auj5uWEFcRYSztq9bRBaR3^2iPsa53Cx&4IAjpvhYj`S6G<WW7U^i
znDbTT=~^+)aE{APg|QiKv4Li0=F0RTMqcW`dq>5lEpz}gZ5IvuMK$b4#km$X`%d(r
zea$88Gh|X*A(&5o<_M<0n+5X;64xE5XPI4szk+zZVAks~!PN75OFiq(`#EB^iT8@c
zyuQ3CIELgqf{)=k#HVl6j0GP>nwWidreJmj?;FXpk9ln+?nBJ$C^7c~@3n|IM|n&z
z_tn1$K7jc9g1J9mw)i&$^Ql@c0{v7#lP9>CvEZ5DKO=Y+aFyT|#5IE1x9k`CsfMQ2
z;yVQ|0N*Wm4)77d*u?pRU_j?1!F;MYN&0Fg;+v4?%0f=L@Z^Xi!rw*>?%8Qoq9I2d
z5&l}`5idlZ`kXI3Ib!u$PmOF_BN}qV>a$6BKA~-*Uh2~-JUL?Z*<$(RdnxQUa>VNM
zi^B6sX1nEcgYe{t)n^wq92hXZi$R~{h$F&xBdwaRiiRAqYF1Li8%fyHq9I2d5&k>E
z^9l1R<Y{~N2v3e!>$Zj(tX0rn6%9G!i17a|Jdcm{$WxyOg(pX>J~vXslQis)q9I2d
z5q=ZWZaEb=r^}cpM;sA;Gtw^Z$7!7Rvfs!NM}!|EJlBUf7p8{zV!>R0m@Jr2&L6?{
z?i6~&oK<*o#1Y|V2)_XF7UXGrxwb_A<cPJsTdCm$7<Q9rwhE32{{+(RRQ$kdMMI7_
zBK)1gb4}+d<Y_(Ig(pX>_3XCv+o_kaeXsE3h_#*@gy*^C8S1Cu2gW%*+eMBzBK)Jm
z^9_QX$W#AM2v3e!{Xb95=kNpDDH?Lb5#f1%z_M6}7m%ku_XtmpSbgrIMy}&O5)C<G
zy}tjD8tKDdh=v@o_H7R}GOsu&8gj%sm)K`%-W3fwV%5A%ja=)GiiRAq&H-MdCW#-|
zN1`D|taFK8q;*abLSL{?$Pw$D<PB<MpPKt1Xvh(3{~WM1XNezj#Hu-DX=0)wN35E6
zsKN0`ONxdZaRmHm;3Einjw%riIbuCW^;w#7(U2on&4-qzLNw%vRdbA*%kcx7CmM3Z
z5#etUp4Y<@$kV=R6rLQhwvlTAZUso#I?<3Lj#L=h8DwexPBi3*Rg+82bWguUG~|dQ
z!bhp8^fXV1h8%H3_z{+7yJ*M}tA_JOcZTQZ+oB;y91(sLH8VZU4@5(bI3oOLYOe4!
zuZV^maYXnSHC3MGSE3<D91;Gg@SFn-f>h^z+)6Rm3JM03@$S2c&j;ohBIb6Sb`zH%
z=GrRp*@zj4IaSU@(0$77$&(}Y_bD}3;s-Vip&-XVgCoL|$<hotg$8Y-nL4l_*jR)D
z;HijByMUR0mhe0kn0}Dslq;mvlOxu8a@wta=-RyoKQLZm$&(|F2oLD@=NRCEp=7-G
z@rmaF#}SBiom%^fr%Upz1F_b@l#BgF<2KZgBi3U)3arOCFNf5SBi3Vcgr(t7riL7`
zY6>jP)uJIsteR2ONS_<MVB=q~sgGb&f5F()-<FrF0`7d+ECk|jBECUz7vh@*vrlRT
z(_gz_>emTonfD9cg!s#XS+6aES>HzmKZ$soV77^ueAb~FF~_{_mkQy@5$k@b5uWvo
zA*jAdcyh$59}DbWiyzos2rP>naYXogg=f3h2xdEy2<o40<F@38)&Ez7XPXKURL^!&
zPmWmi|5N*MCjCe71Dk_D{B^_&1P?-dyWm{J>=V_j7R-HT+KX*B0IwIG`_8lrJola1
zkHC)uZ$+RVwxd#T3u1fUT`fF0Vr}~^!c!kZ(7vh_o*c32#{%oVYXxSx<cM|OnSBbL
z?Kb-nnC(a+sQ(SX+?E`%`hQ6Ht%$jwRL^!&PmWmifc|mByn-khZ;gd`G4NCbV)p+P
zf)RQ9NHiA+Ux;|TVAekuLF>R}2>KyMtaUJb4*oW9h<yDlVCu;ctDgJPor@os>1PPY
znSK_&32AQ2y0bhz&j9+^v}HIMX$$a!z-GJwv%O}#0n>-^DVl#ox&U|^;)?}uMa<h9
z@+^0TVD=%~p#3mQ_+Y!tSi-i{n>NZdWufTF5o<qi9J}-J16z*3a>)@#g#R1i*{1b^
z*+vGf|33)kb%1SlOYj3@n+wh`(7Q$hGoKXsbG$5n-blSm0nF5Yu!qh0L9WX&P_A5m
zlf>Kz#v)x@M`+~;F3vNw3IsPo<c$HBod%nO;G(^>n-E;7C(}BQHGMAEJ5vY2W2p&I
zDdh_0K2v@cv9yJKr+A@-TP)md;WZZCWZ^9qe#*i-ExgOZ`z+jR;X@Ygv+xNEn>nh~
z-^?Ken>n7~LiC5Wi)%HCxu&C->vD>3voP0Hl;^sf;#C&rvoPf!u`uV3%0FXauGcBw
zW8v2<e89p-EPRYu#v9iV6pyg*XbUGT%=H1)S6H~3SjH{y>lN2qnD^s4o>y9Uy@fXu
z%Q)X^;q4ZF-oih$@XHqF+MpgITw7H9p@p4rhL2i!6tNsrV=c^kH|3{Vc$S41Sa_j@
zTP)1=L-n)9!kaA2`y<snW#OH~a*Xe?@IDLoTKJHK`z(CI!nqjZ>XY}@ienZov~W4G
zoLgpEc#ef{vv8AzyDYrQ!W%98h=rdZmUGuL7Jk9PJr;h=!UrsT#KOlcJP5~u`X6E8
z(H2e;%Q<thg)1yvZQ+|NTu*!^PByT13$L^=AN$~&e)C;@40gJ2>&wbY%BhRRPXBHF
z79LC3*ON^Rl9&TsV4h>~ZwM?gk2U!fxqMg+4(~lrL0&fD{hb1j3;eNwDKn<akzxw)
zfAH<s;nnB9eS4_r41NQ4eCf^Z&>bbO#wtFHdEcJB6uQaX_iX%V+WU_1MeLK=!>0{)
z%}4vMzk$!;W;=(^#D`na-UoUf^FQ1wKnWN4rDOwqM>x8YUoY;@bC0EWVUoEgb_2d0
z{vhpryqJS)Cca-Z-z~lwdZW_+<P0A%_EBFn{6&0sQe70a{}KS^jg^;$uF5xGgqiQc
zh%{u^z)PVX`}6o^=9{7IM|&!hg(K%VUZa!M8!P4e$rhljFDUT^qiK6~*{0N(<6H*U
zBc!lkjPLwD9~!!JZ)!=nXwbC5BOe~pbLGhDA=8hhZ=BqE;f2Wy%c>ej-Z|U#8i@}(
z-%IPKlR2NpN7PAo+|;UkIEUmg`vH<e^7-M)SE{1u5=d^t=XVgiErK`X3(A#yat1l$
zS|C`-=M(tE6%)7+zY)ym*MSo&%|~^A-B0PXLq<ynagfkr=2s?INiUuR4%YxP;Y5AS
z#BC<xu?Pu-CIp&XgS;CXY)ju`5V-B-2)b<rFt=l<MWAt8VjlP8mm<*AC$S5kG#))6
ziJ3l`2FHfcFsA))XxOK$Gh<F>S?6K|)}L)Gw{Rse_X+uV2)teq^9F(Tm()K7J<DbM
zIfM|x9SAh~A?93|{ud!IpL{a{C$dbhMxc==R{i}XVdRNbzl|h}JhAG(0j&FdJ21}S
z#{Uk)H0p`9y)Tf2kymq*9^$;7b(8tMry0QKLUOUNPTtvH^6<po@8ckne4#}C;7r!H
zHO#aB@=U+X;Gdv5slfVMH2w1X|52KL67vQ|7MuNNYO=Bdm!SUbXH(@5*PP@#p-=kk
zhn<nRECxRc^842RPA1r~Ss7Wqnw8V9OZ(;8{h5_{lFrQjz=u`xy3^k-(3jcze!b~$
zrj66C{A+yybS@499#(SuAafNEVtU%+dci<+)dSQu4N&*R0qVXsKpiF-18T?N0qW8N
z)SZLQ8%Y20z0QH?=ATAKA2hzBLX2ssvB?r^q&mKfz*FVvboJtIqBx+xx#|ot{V{Zl
zPRG@HaNOr=I<7jQQ_Q@Lm<w$|d?5laW6b02&O-rzec<%c4(R)MAmA^Fhap^7pg&Ht
z)ZbG9e{2^or)pZK-2q)Y(waxDV!nHT|Ne2rwFb?zb;kob_S4C9BXNDQ{jEHOj_(85
zx>ZQ%rQR;L3_81<shCR~f`I*UHUjh5&({Y09XLg~ivzkt(CH-?Zv3+N9<N<)46pig
zorL9bTBqfHG2m}2(t3He{r!{ZN=U-~8R>)v%`aS={vdB}zZYpvlhmlAeFwZ^rn&wa
zBM{R(z8he-<HM2OnjG5^N6>b>81NT|KdzssslVL;e`C+`bo4g{LH*?c>oG|mFJa#E
z)06n4UyF9$z&$h9WG(`KJ_7ymc;a-*_O~4cya`TC>!<0H#ixJ&pGR88{_^iV&>5D6
z&Ezmcgw2Sx)4Ymh?DXG*WViDF-}f2Z;~DG!{YyNP2^7YNvwMW&gx3N!rezt$P)uX^
zo8$L-#QFG_Fge~2^EvKlJg4&eiYX@Ljl+EWZH8;J(j(1#^Q1UV^YPUB^I7?LzaMGd
z{#<49&vu^3%0JinHqtQ!UOVzpvmYU*@f?uPC*1NLxx7`5Ke<@fp83;_oU~_NM9!YD
z>!jbFQ7RXlOWM3Oi&VP*{84lK!n3D~%nr^GbrWl%ZCZ+Rm+VB&)e7WfP$Bq6#OzyF
zhQ`IhlOv7@&)4&~?M%cR18xjIFz!F{<cK3N{J?n4aAi2n0;Yx>aYT4iuG9^*Ur#Ov
z@SPaiR0QIB#MOeiU5(&I#HKz{PmV9@$q{S)ON6gLZ0Z&RfR!OoPmWmY&#|g~QYjj8
z#Om{E;cFQqxH0^|u0x<ta>VMBx3caS{J_}n)Q}^N2+wBleS~?4xu!<UTY8#qn*=6L
zBi3zA8^QB>X8KlqPDGk|a>S}P`wl$YWcpC_rq98XBUZiXH_^-lPoLz7Rb%>1G}WRZ
zN30rCH+xL--W)aufzNoEf2-i<5Z4Rdfw)sJHTMdpW}RSaHVdZaQNh$aC77CTS^NaS
z+YwK;u<0Mvhx|0*n-NzCz8~=n!SreRFa!Xbg}}CuBaVP)Kk)oUo=YTA1UH5s*n9-?
z<cM|5nEn)>i$z0@SbZ)Pel=qRH-;bBT?q6^j#zz~aVS1FiiRAq`g~CMZHPxBxH0^|
z9!8)~a>VKr&~e45>4z{Gug&_L$CQh0)l_f#LAJH)HWotFlvtQ!lJhYd`&RJ+3oo>A
zi-o%_yvD+th&f<jTM!gKW#OH~Twj9iLQuTV!o9>f_<<clP~2zX6U4j#!OU|`!Mq<)
zK1R%rgqi1@g3B#_CNYjdnt9GC*gWSHY@Txp=DmmNS6SFR=M>E&<cE1apRllb&MCZk
z&MEuRJm(b5`MW-+I$&Y*oKrN%EZ#il6n+Huziw-ua|&;sa|)hpX(}vio^y)EJm(Z_
co^uLrxAf*Yr|{-ECkG&GGc|&FpP~3a0le0ADgXcg

diff --git a/third_party/openssl/Makefile b/third_party/openssl/Makefile
index 5628afd5..354bbb4a 100644
--- a/third_party/openssl/Makefile
+++ b/third_party/openssl/Makefile
@@ -1,47 +1,54 @@
-
-#############################################################
-# Required variables for each makefile
-# Discard this section from all parent makefiles
-# Expected variables (with automatic defaults):
-#   CSRCS (all "C" files in the dir)
-#   SUBDIRS (all subdirs with a Makefile)
-#   GEN_LIBS - list of libs to be generated ()
-#   GEN_IMAGES - list of images to be generated ()
-#   COMPONENTS_xxx - a list of libs/objs in the form
-#     subdir/lib to be extracted and rolled up into
-#     a generated lib/image xxx.a ()
-#
-ifndef PDIR
-
-GEN_LIBS = libopenssl.a
-
-endif
-
-
-#############################################################
-# Configuration i.e. compile options etc.
-# Target specific stuff (defines etc.) goes in here!
-# Generally values applying to a tree are captured in the
-#   makefile at its root level - these are then overridden
-#   for a subtree within the makefile rooted therein
-#
-#DEFINES += 
-
-#############################################################
-# Recursion Magic - Don't touch this!!
-#
-# Each subtree potentially has an include directory
-#   corresponding to the common APIs applicable to modules
-#   rooted at that subtree. Accordingly, the INCLUDE PATH
-#   of a module can only contain the include directories up
-#   its parent path, and not its siblings
-#
-# Required for each makefile to inherit from the parent
-#
-
-INCLUDES := $(INCLUDES) -I $(PDIR)include
-INCLUDES += -I $(SDK_PATH)/include/openssl
-INCLUDES += -I ./
-PDIR := ../$(PDIR)
-sinclude $(PDIR)Makefile
-
+
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of images to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+ifndef PDIR
+UP_EXTRACT_DIR = ..
+GEN_LIBS = libopenssl.a
+COMPONENTS_libopenssl = library/liblibrary.a platform/libplatform.a
+endif
+
+CCFLAGS += -fno-aggressive-loop-optimizations
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+DEFINES += -D_POSIX_SOURCE \
+			-DLWIP_OPEN_SRC	\
+			-DPBUF_RSV_FOR_WLAN	\
+			-DEBUF_LWIP \
+			-DMEMLEAK_DEBUG
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(SDK_PATH)/include/openssl/ \
+                        -I $(SDK_PATH)/include/openssl/openssl \
+                        -I $(SDK_PATH)/include/openssl/internal \
+                        -I $(SDK_PATH)/include/openssl/platform
+INCLUDES += -I ./
+PDIR := ../$(PDIR)
+sinclude $(PDIR)Makefile
+
diff --git a/third_party/openssl/OpenSSL-APIs.rst b/third_party/openssl/OpenSSL-APIs.rst
new file mode 100644
index 00000000..93e438dc
--- /dev/null
+++ b/third_party/openssl/OpenSSL-APIs.rst
@@ -0,0 +1,1797 @@
+OpenSSL-APIs 
+------------
+
+This directory does not contain OpenSSL itself, but the code here can be used as a wrapper for applications using the OpenSSL API. 
+It uses mbedTLS to do the actual work, so anyone compiling openssl code needs the mbedtls library and header file.
+
+OpenSSL APIs not mentioned in this article are not open to public for the time,
+also do not have the corresponding function.
+If user calls it directly, it will always return an error or may show cannot link at compiling time.
+
+Chapter Introduction
+====================
+
+- Chapter 1. SSL Context Method Create
+- Chapter 2. SSL Context Fucntion
+- Chapter 3. SSL Fucntion
+- Chapter 4. SSL X509 Certification and Private Key Function
+
+
+Chapter 1. SSL Context Method Create 
+====================================
+
+1.1 const SSL_METHOD* ``SSLv3_client_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        SSLV3.0 version SSL context client method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = SSLv3_client_method();
+ 
+            ...
+        }
+
+1.2 const SSL_METHOD* ``TLSv1_client_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.0 version SSL context client method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_client_method();
+ 
+            ...
+        }
+
+1.3 const SSL_METHOD* ``TLSv1_1_client_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.1 version SSL context client method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_1_client_method();
+ 
+            ...
+        }
+
+1.4 const SSL_METHOD* ``TLSv1_2_client_method`` (void)
+
+    Arguments::
+    
+       none
+    
+    Return::
+    
+       TLSV1.2 version SSL context client method point
+    
+    Description::
+    
+       create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_2_client_method();
+ 
+            ...
+        }
+        
+1.5 const SSL_METHOD* ``TLS_client_method`` (void)
+
+    Arguments::
+    
+       none
+    
+    Return::
+    
+       TLSV1.2 version SSL context client method point
+    
+    Description::
+    
+       create the default SSL context method, it's always to be TLSV1.2
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_2_client_method();
+ 
+            ...
+        }        
+
+1.6 const SSL_METHOD* ``SSLv3_server_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        SSLV3.0 version SSL context server method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = SSLv3_server_method();
+ 
+            ...
+        }
+
+1.7 const SSL_METHOD* ``TLSv1_server_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.0 version SSL context server method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_server_method();
+ 
+            ...
+        }
+
+1.8 const SSL_METHOD* ``TLSv1_1_server_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.1 version SSL context server method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example :
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_1_server_method();
+ 
+            ...
+        }
+
+
+1.9 const SSL_METHOD* ``TLSv1_2_server_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.2 version SSL context server method point
+    
+    Description::
+    
+        create the target SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_2_server_method();
+ 
+            ...
+        }
+
+1.10 const SSL_METHOD* ``TLS_server_method`` (void)
+
+    Arguments::
+    
+        none
+    
+    Return::
+    
+        TLSV1.2 version SSL context server method point
+    
+    Description::
+    
+        create the default SSL context method, it's always to be TLSV1.2
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method = TLSv1_2_server_method();
+ 
+            ...
+        }
+
+
+Chapter 2. SSL Context Fucntion
+===============================
+
+
+2.1 SSL_CTX* ``SSL_CTX_new`` (const SSL_METHOD *method)
+
+    Arguments::
+    
+        method - the SSL context method point
+    
+    Return::
+    
+        context point
+    
+    Description::
+    
+        create a SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL_CTX *ctx = SSL_CTX_new(SSLv3_server_method());
+ 
+            ...
+        }
+
+
+2.2 ``void SSL_CTX_free`` (SSL_CTX *ctx)
+
+    Arguments::
+    
+        ctx - the SSL context point
+    
+    Return::
+    
+        none
+    
+    Description::
+    
+        free a SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL_CTX *ctx;
+        
+            ... ...
+            
+            SSL_CTX_free(ctx);
+        }
+
+
+2.3 ``int SSL_CTX_set_ssl_version`` (SSL_CTX *ctx, const SSL_METHOD *meth)
+
+    Arguments::
+    
+        ctx  - SSL context point
+        meth - SSL method point
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+    
+    Description::
+    
+        set the SSL context version
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL_CTX *ctx;
+            const SSL_METHOD *meth;
+            
+            ... ...
+            
+            SSL_CTX_set_ssl_version(ctx, meth);    
+        }
+
+
+2.4 const SSL_METHOD* ``SSL_CTX_get_ssl_method`` (SSL_CTX *ctx)
+
+    Arguments::
+    
+        ctx - SSL context point
+    
+    Return::
+    
+        SSL context method
+    
+    Description::
+    
+        get the SSL context method
+    
+    Example::
+    
+        void example(void)
+        {
+            const SSL_METHOD *method;
+            SSL_CTX *ctx;
+            
+            ... ...
+                
+            method = SSL_CTX_get_ssl_method(ctx);    
+        }
+
+
+
+Chapter 3. SSL Fucntion
+=======================
+
+
+3.1 SSL* ``SSL_new`` (SSL_CTX *ctx)
+
+    Arguments::
+    
+        ctx - SSL context point
+    
+    Return::
+    
+        SSL method
+    
+    Description::
+    
+        create a SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            SSL_CTX *ctx;
+
+            ... ...
+   
+            ssl = SSL_new(ctx);
+        }
+
+
+3.2 void ``SSL_free`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        none
+    
+    Description::
+    
+        free SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            
+            ... ...
+            
+            SSL_free(ssl);
+        }
+        
+
+3.3 int ``SSL_do_handshake`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : OK
+        0 : failed, connect is close by remote
+       -1 : a error catch
+    
+    Description::
+    
+        perform the SSL handshake
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_do_handshake(ssl);
+        }
+
+
+3.4 int ``SSL_connect`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : OK
+        0 : failed, connect is close by remote
+       -1 : a error catch
+    
+    Description::
+    
+        connect to the remote SSL server
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_connect(ssl);
+        }
+
+
+3.5 int ``SSL_accept`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : OK
+        0 : failed, connect is close by remote
+       -1 : a error catch
+    
+    Description::
+    
+        accept the remote connection
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_accept(ssl);
+        }
+
+
+3.6 int ``SSL_shutdown`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : OK
+        0 : failed, connect is close by remote
+       -1 : a error catch
+    
+    Description::
+    
+        shutdown the connection
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_shutdown(ssl);
+        }
+
+
+3.7 int ``SSL_clear`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        shutdown the connection
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_clear(ssl);
+        }
+
+
+3.8 int ``SSL_read`` (SSL *ssl, void *buffer, int len)
+
+    Arguments::
+    
+        ssl    - point
+        buffer - data buffer point
+        len    - data length
+    
+    Return::
+    
+        > 0 : OK, and return received data bytes
+        = 0 : no data received or connection is closed
+        < 0 : an error catch
+        
+    Description::
+    
+        read data from remote
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            char *buf;
+            int len;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_read(ssl, buf, len);
+        }
+
+3.9 int ``SSL_write`` (SSL *ssl, const void *buffer, int len)
+
+    Arguments::
+    
+        ssl    - SSL point
+        buffer - data buffer point
+        len    - data length
+    
+    Return::
+    
+        > 0 : OK, and return received data bytes
+        = 0 : no data sent or connection is closed
+        < 0 : an error catch
+        
+    Description::
+    
+        send the data to remote
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            char *buf;
+            int len;
+            int ret;
+            
+            ... ...
+            
+            ret = SSL_write(ssl, buf, len);
+        }
+
+
+3.10 ``SSL_CTX *SSL_get_SSL_CTX`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL context
+        
+    Description::
+    
+        get SSL context of the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            SSL_CTX *ctx;
+            
+            ... ...
+            
+            ctx = SSL_get_SSL_CTX(ssl);
+        }
+
+
+3.11 int ``SSL_get_shutdown`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        shutdown mode
+        
+    Description::
+    
+        get SSL shutdown mode
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int mode;
+            
+            ... ...
+            
+            mode = SSL_get_SSL_CTX(ssl);
+        }
+
+
+3.12 void ``SSL_set_shutdown`` (SSL *ssl, int mode)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        shutdown mode
+        
+    Description::
+    
+        set SSL shutdown mode
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int mode = 0;
+            
+            ... ...
+            
+            SSL_set_shutdown(ssl, mode);
+        }
+
+
+3.13 const SSL_METHOD* ``SSL_get_ssl_method`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL method
+        
+    Description::
+    
+        set SSL shutdown mode
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            const SSL_METHOD *method;
+            
+            ... ...
+            
+            method = SSL_get_ssl_method(ssl);
+        }
+        
+
+3.14 int ``SSL_set_ssl_method`` (SSL *ssl, const SSL_METHOD *method)
+
+    Arguments::
+    
+        ssl  - SSL point
+        meth - SSL method point
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        set the SSL method
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            const SSL_METHOD *method;
+            
+            ... ...
+            
+            ret = SSL_set_ssl_method(ssl, method);
+        }
+
+
+3.15 int ``SSL_pending`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        data bytes
+        
+    Description::
+    
+        get received data bytes
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            
+            ... ...
+            
+            ret = SSL_pending(ssl);
+        }
+
+
+3.16 int ``SSL_has_pending`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        1 : Yes
+        0 : No
+        
+    Description::
+    
+        check if data is received
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            
+            ... ...
+            
+            ret = SSL_has_pending(ssl);
+        }
+
+
+3.17 int ``SSL_get_fd`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        >= 0 : socket id
+         < 0 : a error catch
+        
+    Description::
+    
+        get the socket of the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            
+            ... ...
+            
+            ret = SSL_get_fd(ssl);
+        }
+
+
+3.18 int ``SSL_get_rfd`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        >= 0 : socket id
+         < 0 : a error catch
+        
+    Description::
+    
+        get the read only socket of the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            
+            ... ...
+            
+            ret = SSL_get_rfd(ssl);
+        }
+
+
+3.19 int ``SSL_get_wfd`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        >= 0 : socket id
+         < 0 : a error catch
+        
+    Description::
+    
+        get the write only socket of the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            
+            ... ...
+            
+            ret = SSL_get_wfd(ssl);
+        }
+
+
+3.20 int ``SSL_set_fd`` (SSL *ssl, int fd)
+
+    Arguments::
+    
+        ssl - SSL point
+        fd  - socket id
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        set socket to SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            int socket;
+                        
+            ... ...
+            
+            ret = SSL_set_fd(ssl, socket);
+        }
+
+
+3.21 int ``SSL_set_rfd`` (SSL *ssl, int fd)
+
+    Arguments::
+    
+        ssl - SSL point
+        fd  - socket id
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        set read only socket to SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            int socket;
+                        
+            ... ...
+            
+            ret = SSL_set_rfd(ssl, socket);
+        }
+        
+
+3.22 int ``SSL_set_wfd`` (SSL *ssl, int fd)
+
+    Arguments::
+    
+        ssl - SSL point
+        fd  - socket id
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        set write only socket to SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            int socket;
+                        
+            ... ...
+            
+            ret = SSL_set_wfd(ssl, socket);
+        }
+        
+
+3.23 int ``SSL_version`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL version
+        
+    Description::
+    
+        get SSL version
+    
+    Example::
+    
+        void example(void)
+        {
+            int version;
+            SSL *ssl;
+                        
+            ... ...
+            
+            version = SSL_version(ssl);
+        }
+
+
+3.24 const char* ``SSL_get_version`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL version string
+        
+    Description::
+    
+        get the SSL current version string
+    
+    Example::
+    
+        void example(void)
+        {
+            char *version;
+            SSL *ssl;
+                        
+            ... ...
+            
+            version = SSL_get_version(ssl);
+        }
+        
+        
+3.25 OSSL_HANDSHAKE_STATE ``SSL_get_state`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL state
+        
+    Description::
+    
+        get the SSL state
+    
+    Example::
+    
+        void example(void)
+        {
+            OSSL_HANDSHAKE_STATE state;
+            SSL *ssl;
+                        
+            ... ...
+            
+            state = SSL_get_state(ssl);
+        }
+
+
+3.26 const char* ``SSL_alert_desc_string`` (int value)
+
+    Arguments::
+    
+        value - SSL description
+    
+    Return::
+    
+        alert value string
+        
+    Description::
+    
+        get alert description string
+    
+    Example::
+    
+        void example(void)
+        {
+            int val;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_alert_desc_string(val);
+        }
+
+
+3.27 const char* ``SSL_alert_desc_string_long`` (int value)
+
+    Arguments::
+    
+        value - SSL description
+    
+    Return::
+    
+        alert value long string
+        
+    Description::
+    
+        get alert description long string
+    
+    Example::
+    
+        void example(void)
+        {
+            int val;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_alert_desc_string_long(val);
+        }
+
+
+3.28 const char* ``SSL_alert_type_string`` (int value)
+
+    Arguments::
+    
+        value - SSL type description
+    
+    Return::
+    
+        alert type string
+        
+    Description::
+    
+        get alert type string
+    
+    Example::
+    
+        void example(void)
+        {
+            int val;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_alert_type_string(val);
+        }
+        
+        
+3.29 const char* ``SSL_alert_type_string_long`` (int value)
+
+    Arguments::
+    
+        value - SSL type description
+    
+    Return::
+    
+        alert type long string
+        
+    Description::
+    
+        get alert type long string
+    
+    Example::
+    
+        void example(void)
+        {
+            int val;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_alert_type_string_long(val);
+        }
+
+3.30 const char* ``SSL_rstate_string`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        state string
+        
+    Description::
+    
+        get the state string where SSL is reading
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_rstate_string(ssl);
+        }
+        
+
+3.31 const char* ``SSL_rstate_string_long`` (SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        state long string
+        
+    Description::
+    
+        get the state long string where SSL is reading
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_rstate_string_long(ssl);
+        }
+
+
+3.32 const char* ``SSL_state_string`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        state string
+        
+    Description::
+    
+        get the state string
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            const char *str;
+                        
+            ... ...
+            
+            str = SSL_state_string(ssl);
+        }
+
+
+3.33 char* ``SSL_state_string_long`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        state long string
+        
+    Description::
+    
+        get the state long string
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            char *str;
+                        
+            ... ...
+            
+            str = SSL_state_string(ssl);
+        }
+
+
+3.34 int ``SSL_get_error`` (const SSL *ssl, int ret_code)
+
+    Arguments::
+    
+        ssl      - SSL point
+        ret_code - SSL return code
+    
+    Return::
+    
+        SSL error number
+        
+    Description::
+    
+        get SSL error code
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+            int err;
+                        
+            ... ...
+            
+            err = SSL_get_error(ssl, ret);
+        }
+
+3.35 int ``SSL_want`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        specifical statement
+        
+    Description::
+    
+        get the SSL specifical statement
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int state;
+                        
+            ... ...
+            
+            state = SSL_want(ssl);
+        }
+        
+
+3.36 int ``SSL_want_nothing`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        0 : false
+        1 : true
+        
+    Description::
+    
+        check if SSL want nothing
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+                        
+            ... ...
+            
+            ret = SSL_want(ssl);
+        }
+        
+        
+3.37 int ``SSL_want_read`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        0 : false
+        1 : true
+        
+    Description::
+    
+        check if SSL want to read
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+                        
+            ... ...
+            
+            ret = SSL_want_read(ssl);
+        }
+
+
+3.38 int ``SSL_want_write`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        0 : false
+        1 : true
+        
+    Description::
+    
+        check if SSL want to write
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            int ret;
+                        
+            ... ...
+            
+            ret = SSL_want_write(ssl);
+        }        
+
+
+Chapter 4. SSL X509 Certification and Private Key Function
+==========================================================
+
+
+4.1 X509* ``d2i_X509`` (X509 **cert, const unsigned char *buffer, long len)
+
+    Arguments::
+    
+        cert   - a point pointed to X509 certification
+        buffer - a point pointed to the certification context memory point
+        length - certification bytes
+    
+    Return::
+    
+        X509 certification object point
+        
+    Description::
+    
+        load a character certification context into system context. If '*cert' is pointed to the
+        certification, then load certification into it. Or create a new X509 certification object
+    
+    Example::
+    
+        void example(void)
+        {
+            X509 *new;
+            X509 *cert;
+            unsigned char *buffer;
+            long len;            
+            ... ...
+            
+            new = d2i_X509(&cert, buffer, len);
+        }
+
+
+4.2 int ``SSL_add_client_CA`` (SSL *ssl, X509 *x)
+
+    Arguments::
+    
+        ssl - SSL point
+        x   - CA certification point
+    
+    Return::
+
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        add CA client certification into the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            X509 *new;
+                        
+            ... ...
+            
+            ret = SSL_add_client_CA(ssl, new);
+        }
+
+
+4.3 int ``SSL_CTX_add_client_CA`` (SSL_CTX *ctx, X509 *x)
+
+    Arguments::
+    
+        ctx - SSL context point
+         x   - CA certification point
+    
+    Return::
+
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        add CA client certification into the SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL_CTX *ctx;
+            X509 *new;
+                        
+            ... ...
+            
+            ret = SSL_add_clSSL_CTX_add_client_CAient_CA(ctx, new);
+        }
+
+
+4.4 X509* ``SSL_get_certificate`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        SSL certification point
+        
+    Description::
+    
+        get the SSL certification point
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            X509 *cert;
+                        
+            ... ...
+            
+            cert = SSL_get_certificate(ssl);
+        }
+
+
+4.5 long ``SSL_get_verify_result`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        the result of verifying
+        
+    Description::
+    
+        get the verifying result of the SSL certification
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            long ret;
+                        
+            ... ...
+            
+            ret = SSL_get_verify_result(ssl);
+        }
+
+
+4.6 int ``SSL_CTX_use_certificate`` (SSL_CTX *ctx, X509 *x)
+
+    Arguments::
+    
+        ctx  - the SSL context point
+        pkey - certification object point
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load the certification into the SSL_CTX or SSL object
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL_CTX *ctx
+            X509 *new;
+                        
+            ... ...
+            
+            ret = SSL_CTX_use_certificate(ctx, new);
+        }
+
+
+4.7 int ``SSL_CTX_use_certificate_ASN1`` (SSL_CTX *ctx, int len, const unsigned char *d)
+
+    Arguments::
+    
+        ctx - SSL context point
+        len - certification length
+        d   - data point
+    
+    Return::
+     
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load the ASN1 certification into SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL_CTX *ctx;
+            const unsigned char *buf;
+            int len;
+                        
+            ... ...
+            
+            ret = SSL_CTX_use_certificate_ASN1(ctx, len, buf);
+        }
+        
+
+4.8 int ``SSL_CTX_use_PrivateKey`` (SSL_CTX *ctx, EVP_PKEY *pkey)
+
+    Arguments::
+    
+        ctx - SSL context point
+        pkey - private key object point
+    
+    Return::
+
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load the private key into the context object
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL_CTX *ctx;
+            EVP_PKEY *pkey;
+                        
+            ... ...
+            
+            ret = SSL_CTX_use_PrivateKey(ctx, pkey);
+        }
+
+
+4.9 int ``SSL_CTX_use_PrivateKey_ASN1`` (int pk, SSL_CTX *ctx, const unsigned char *d,  long len)
+
+    Arguments::
+    
+        ctx - SSL context point
+        d   - data point
+        len - private key length
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load the ASN1 private key into SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            int pk;
+            SSL_CTX *ctx;
+            const unsigned char *buf;
+            long len;
+                        
+            ... ...
+            
+            ret = SSL_CTX_use_PrivateKey_ASN1(pk, ctx, buf, len);
+        }
+        
+
+4.10 int ``SSL_CTX_use_RSAPrivateKey_ASN1`` (SSL_CTX *ctx, const unsigned char *d, long len)
+
+    Arguments::
+    
+        ctx - SSL context point
+        d   - data point
+        len - private key length
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load the RSA ASN1 private key into SSL context
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL_CTX *ctx;
+            const unsigned char *buf;
+            long len;
+                        
+            ... ...
+            
+            ret = SSL_CTX_use_RSAPrivateKey_ASN1(ctx, buf, len);
+        }
+
+
+4.11 int ``SSL_use_certificate_ASN1`` (SSL *ssl, int len, const unsigned char *d)
+
+    Arguments::
+    
+        ssl - SSL point
+        len - data bytes
+        d   - data point
+    
+    Return::
+    
+        1 : OK
+        0 : failed
+        
+    Description::
+    
+        load certification into the SSL
+    
+    Example::
+    
+        void example(void)
+        {
+            int ret;
+            SSL *ssl;
+            const unsigned char *buf;
+            long len;
+                        
+            ... ...
+            
+            ret = SSL_use_certificate_ASN1(ssl, len, buf);
+        }
+
+
+4.12 X509* ``SSL_get_peer_certificate`` (const SSL *ssl)
+
+    Arguments::
+    
+        ssl - SSL point
+    
+    Return::
+    
+        peer certification
+        
+    Description::
+    
+        get peer certification
+    
+    Example::
+    
+        void example(void)
+        {
+            SSL *ssl;
+            X509 *peer;
+                        
+            ... ...
+            
+            peer = SSL_get_peer_certificate(ssl);
+        }
+
diff --git a/third_party/openssl/library/Makefile b/third_party/openssl/library/Makefile
new file mode 100644
index 00000000..836e81dc
--- /dev/null
+++ b/third_party/openssl/library/Makefile
@@ -0,0 +1,46 @@
+
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of images to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+ifndef PDIR
+
+GEN_LIBS = liblibrary.a
+
+endif
+
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+#DEFINES += 
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(PDIR)include
+INCLUDES += -I ./
+PDIR := ../$(PDIR)
+sinclude $(PDIR)Makefile
+
diff --git a/third_party/openssl/library/ssl_cert.c b/third_party/openssl/library/ssl_cert.c
new file mode 100755
index 00000000..5c608125
--- /dev/null
+++ b/third_party/openssl/library/ssl_cert.c
@@ -0,0 +1,87 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_cert.h"
+#include "ssl_pkey.h"
+#include "ssl_x509.h"
+#include "ssl_dbg.h"
+#include "ssl_port.h"
+
+/**
+ * @brief create a certification object according to input certification
+ */
+CERT *__ssl_cert_new(CERT *ic)
+{
+    CERT *cert;
+
+    X509 *ix;
+    EVP_PKEY *ipk;
+
+    cert = ssl_mem_zalloc(sizeof(CERT));
+    if (!cert) {
+        SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "no enough memory > (cert)");
+        goto no_mem;
+    }
+
+    if (ic) {
+        ipk = ic->pkey;
+        ix = ic->x509;
+    } else {
+        ipk = NULL;
+        ix = NULL;
+    }
+
+    cert->pkey = __EVP_PKEY_new(ipk);
+    if (!cert->pkey) {
+        SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL");
+        goto pkey_err;
+    }
+
+    cert->x509 = __X509_new(ix);
+    if (!cert->x509) {
+        SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__X509_new() return NULL");
+        goto x509_err;
+    }
+
+    return cert;
+
+x509_err:
+    EVP_PKEY_free(cert->pkey);
+pkey_err:
+    ssl_mem_free(cert);
+no_mem:
+    return NULL;
+}
+
+/**
+ * @brief create a certification object include private key object
+ */
+CERT *ssl_cert_new(void)
+{
+    return __ssl_cert_new(NULL);
+}
+
+/**
+ * @brief free a certification object
+ */
+void ssl_cert_free(CERT *cert)
+{
+    SSL_ASSERT3(cert);
+
+    X509_free(cert->x509);
+
+    EVP_PKEY_free(cert->pkey);
+
+    ssl_mem_free(cert);
+}
diff --git a/third_party/openssl/library/ssl_lib.c b/third_party/openssl/library/ssl_lib.c
new file mode 100755
index 00000000..43c13007
--- /dev/null
+++ b/third_party/openssl/library/ssl_lib.c
@@ -0,0 +1,1556 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_lib.h"
+#include "ssl_pkey.h"
+#include "ssl_x509.h"
+#include "ssl_cert.h"
+#include "ssl_dbg.h"
+#include "ssl_port.h"
+
+#define SSL_SEND_DATA_MAX_LENGTH 1460
+
+/**
+ * @brief create a new SSL session object
+ */
+static SSL_SESSION* SSL_SESSION_new(void)
+{
+    SSL_SESSION *session;
+
+    session = ssl_mem_zalloc(sizeof(SSL_SESSION));
+    if (!session) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)");
+        goto failed1;
+    }
+
+    session->peer = X509_new();
+    if (!session->peer) {
+       SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
+       goto failed2;
+    }
+
+    return session;
+
+failed2:
+    ssl_mem_free(session);
+failed1:
+    return NULL;
+}
+
+/**
+ * @brief free a new SSL session object
+ */
+static void SSL_SESSION_free(SSL_SESSION *session)
+{
+    X509_free(session->peer);
+    ssl_mem_free(session);
+}
+
+/**
+ * @brief Discover whether the current connection is in the error state
+ */
+int ossl_statem_in_error(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    if (ssl->statem.state == MSG_FLOW_ERROR)
+        return 1;
+
+    return 0;
+}
+
+/**
+ * @brief get the SSL specifical statement
+ */
+int SSL_want(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->rwstate;
+}
+
+/**
+ * @brief check if SSL want nothing
+ */
+int SSL_want_nothing(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return (SSL_want(ssl) == SSL_NOTHING);
+}
+
+/**
+ * @brief check if SSL want to read
+ */
+int SSL_want_read(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return (SSL_want(ssl) == SSL_READING);
+}
+
+/**
+ * @brief check if SSL want to write
+ */
+int SSL_want_write(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return (SSL_want(ssl) == SSL_WRITING);
+}
+
+/**
+ * @brief check if SSL want to lookup X509 certification
+ */
+int SSL_want_x509_lookup(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return (SSL_want(ssl) == SSL_WRITING);
+}
+
+/**
+ * @brief get SSL error code
+ */
+int SSL_get_error(const SSL *ssl, int ret_code)
+{
+    int ret = SSL_ERROR_SYSCALL;
+
+    SSL_ASSERT1(ssl);
+
+    if (ret_code > 0)
+        ret = SSL_ERROR_NONE;
+    else if (ret_code < 0)
+    {
+        if (SSL_want_read(ssl))
+            ret = SSL_ERROR_WANT_READ;
+        else if (SSL_want_write(ssl))
+            ret = SSL_ERROR_WANT_WRITE;
+        else
+            ret = SSL_ERROR_SYSCALL; //unknown
+    }
+    else // ret_code == 0
+    {
+        if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN)
+            ret = SSL_ERROR_ZERO_RETURN;
+        else
+            ret = SSL_ERROR_SYSCALL;
+    }
+
+    return ret;
+}
+
+/**
+ * @brief get the SSL state
+ */
+OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
+{
+    OSSL_HANDSHAKE_STATE state;
+
+    SSL_ASSERT1(ssl);
+
+    state = SSL_METHOD_CALL(get_state, ssl);
+
+    return state;
+}
+
+/**
+ * @brief create a SSL context
+ */
+SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
+{
+    SSL_CTX *ctx;
+    CERT *cert;
+    X509 *client_ca;
+
+    if (!method) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
+        return NULL;
+    }
+
+    client_ca = X509_new();
+    if (!client_ca) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL");
+        goto failed1;
+    }
+
+    cert = ssl_cert_new();
+    if (!cert) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL");
+        goto failed2;
+    }
+
+    ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX));
+    if (!ctx) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)");
+        goto failed3;
+    }
+
+    ctx->method = method;
+    ctx->client_CA = client_ca;
+    ctx->cert = cert;
+
+    ctx->version = method->version;
+
+    return ctx;
+
+failed3:
+    ssl_cert_free(cert);
+failed2:
+    X509_free(client_ca);
+failed1:
+    return NULL;
+}
+
+/**
+ * @brief free a SSL context
+ */
+void SSL_CTX_free(SSL_CTX* ctx)
+{
+    SSL_ASSERT3(ctx);
+
+    ssl_cert_free(ctx->cert);
+
+    X509_free(ctx->client_CA);
+
+    ssl_mem_free(ctx);
+}
+
+/**
+ * @brief set  the SSL context version
+ */
+int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
+{
+    SSL_ASSERT1(ctx);
+    SSL_ASSERT1(meth);
+
+    ctx->method = meth;
+
+    ctx->version = meth->version;
+
+    return 1;
+}
+
+/**
+ * @brief get the SSL context current method
+ */
+const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
+{
+    SSL_ASSERT2(ctx);
+
+    return ctx->method;
+}
+
+/**
+ * @brief create a SSL
+ */
+SSL *SSL_new(SSL_CTX *ctx)
+{
+    int ret = 0;
+    SSL *ssl;
+
+    if (!ctx) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx");
+        return NULL;
+    }
+
+    ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL));
+    if (!ssl) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)");
+        goto failed1;
+    }
+
+    ssl->session = SSL_SESSION_new();
+    if (!ssl->session) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL");
+        goto failed2;
+    }
+
+    ssl->cert = __ssl_cert_new(ctx->cert);
+    if (!ssl->cert) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL");
+        goto failed3;
+    }
+
+    ssl->client_CA = __X509_new(ctx->client_CA);
+    if (!ssl->client_CA) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL");
+        goto failed4;
+    }
+
+    ssl->ctx = ctx;
+    ssl->method = ctx->method;
+
+    ssl->version = ctx->version;
+    ssl->options = ctx->options;
+
+    ssl->verify_mode = ctx->verify_mode;
+
+    ret = SSL_METHOD_CALL(new, ssl);
+    if (ret) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
+        goto failed5;
+    }
+
+    ssl->rwstate = SSL_NOTHING;
+
+    return ssl;
+
+failed5:
+    X509_free(ssl->client_CA);
+failed4:
+    ssl_cert_free(ssl->cert);
+failed3:
+    SSL_SESSION_free(ssl->session);
+failed2:
+    ssl_mem_free(ssl);
+failed1:
+    return NULL;
+}
+
+/**
+ * @brief free the SSL
+ */
+void SSL_free(SSL *ssl)
+{
+    SSL_ASSERT3(ssl);
+
+    SSL_METHOD_CALL(free, ssl);
+
+    X509_free(ssl->client_CA);
+
+    ssl_cert_free(ssl->cert);
+
+    SSL_SESSION_free(ssl->session);
+
+    ssl_mem_free(ssl);
+}
+
+/**
+ * @brief perform the SSL handshake
+ */
+int SSL_do_handshake(SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_METHOD_CALL(handshake, ssl);
+
+    return ret;
+}
+
+/**
+ * @brief connect to the remote SSL server
+ */
+int SSL_connect(SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return SSL_do_handshake(ssl);
+}
+
+/**
+ * @brief accept the remote connection
+ */
+int SSL_accept(SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return SSL_do_handshake(ssl);
+}
+
+/**
+ * @brief shutdown the connection
+ */
+int SSL_shutdown(SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    if (SSL_get_state(ssl) != TLS_ST_OK) return 1;
+
+    ret = SSL_METHOD_CALL(shutdown, ssl);
+
+    return ret;
+}
+
+/**
+ * @brief reset the SSL
+ */
+int SSL_clear(SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_shutdown(ssl);
+    if (1 != ret) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
+        goto failed1;
+    }
+
+    SSL_METHOD_CALL(free, ssl);
+
+    ret = SSL_METHOD_CALL(new, ssl);
+    if (!ret) {
+        SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
+        goto failed1;
+    }
+
+    return 1;
+
+failed1:
+    return ret;
+}
+
+/**
+ * @brief read data from to remote
+ */
+int SSL_read(SSL *ssl, void *buffer, int len)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(buffer);
+    SSL_ASSERT1(len);
+
+    ssl->rwstate = SSL_READING;
+
+    ret = SSL_METHOD_CALL(read, ssl, buffer, len);
+
+    if (ret == len)
+        ssl->rwstate = SSL_NOTHING;
+
+    return ret;
+}
+
+/**
+ * @brief send the data to remote
+ */
+int SSL_write(SSL *ssl, const void *buffer, int len)
+{
+    int ret;
+    int send_bytes;
+    const unsigned char *pbuf;
+
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(buffer);
+    SSL_ASSERT1(len);
+
+    ssl->rwstate = SSL_WRITING;
+
+    send_bytes = len;
+    pbuf = (const unsigned char *)buffer;
+
+    do {
+        int bytes;
+
+        if (send_bytes > SSL_SEND_DATA_MAX_LENGTH)
+            bytes = SSL_SEND_DATA_MAX_LENGTH;
+        else
+            bytes = send_bytes;
+
+        ret = SSL_METHOD_CALL(send, ssl, buffer, bytes);
+        if (ret > 0) {
+            pbuf += ret;
+            send_bytes -= ret;
+        }
+    } while (ret > 0 && send_bytes);
+
+    if (ret >= 0) {
+        ret = len - send_bytes;
+        ssl->rwstate = SSL_NOTHING;
+    } else
+        ret = -1;
+
+    return ret;
+}
+
+/**
+ * @brief get SSL context of the SSL
+ */
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
+{
+    SSL_ASSERT2(ssl);
+
+    return ssl->ctx;
+}
+
+/**
+ * @brief get the SSL current method
+ */
+const SSL_METHOD *SSL_get_ssl_method(SSL *ssl)
+{
+    SSL_ASSERT2(ssl);
+
+    return ssl->method;
+}
+
+/**
+ * @brief set the SSL method
+ */
+int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(method);
+
+    if (ssl->version != method->version) {
+
+        ret = SSL_shutdown(ssl);
+        if (1 != ret) {
+            SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret);
+            goto failed1;
+        }
+
+        SSL_METHOD_CALL(free, ssl);
+
+        ssl->method = method;
+
+        ret = SSL_METHOD_CALL(new, ssl);
+        if (!ret) {
+            SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret);
+            goto failed1;
+        }
+    } else {
+        ssl->method = method;
+    }
+
+
+    return 1;
+
+failed1:
+    return ret;
+}
+
+/**
+ * @brief get SSL shutdown mode
+ */
+int SSL_get_shutdown(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->shutdown;
+}
+
+/**
+ * @brief set SSL shutdown mode
+ */
+void SSL_set_shutdown(SSL *ssl, int mode)
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->shutdown = mode;
+}
+
+
+/**
+ * @brief get the number of the bytes to be read
+ */
+int SSL_pending(const SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_METHOD_CALL(pending, ssl);
+
+    return ret;
+}
+
+/**
+ * @brief check if some data can be read
+ */
+int SSL_has_pending(const SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    if (SSL_pending(ssl))
+        ret = 1;
+    else
+        ret = 0;
+
+    return ret;
+}
+
+/**
+ * @brief clear the SSL context option bit of "op"
+ */
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->options &= ~op;
+}
+
+/**
+ * @brief get the SSL context option
+ */
+unsigned long SSL_CTX_get_options(SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->options;
+}
+
+/**
+ * @brief set the option of the SSL context
+ */
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->options |= opt;
+}
+
+/**
+ * @brief clear SSL option
+ */
+unsigned long SSL_clear_options(SSL *ssl, unsigned long op)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->options & ~op;
+}
+
+/**
+ * @brief get SSL option
+ */
+unsigned long SSL_get_options(SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->options;
+}
+
+/**
+ * @brief clear SSL option
+ */
+unsigned long SSL_set_options(SSL *ssl, unsigned long op)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->options |= op;
+}
+
+/**
+ * @brief get the socket handle of the SSL
+ */
+int SSL_get_fd(const SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_METHOD_CALL(get_fd, ssl, 0);
+
+    return ret;
+}
+
+/**
+ * @brief get the read only socket handle of the SSL
+ */
+int SSL_get_rfd(const SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_METHOD_CALL(get_fd, ssl, 0);
+
+    return ret;
+}
+
+/**
+ * @brief get the write only socket handle of the SSL
+ */
+int SSL_get_wfd(const SSL *ssl)
+{
+    int ret;
+
+    SSL_ASSERT1(ssl);
+
+    ret = SSL_METHOD_CALL(get_fd, ssl, 0);
+
+    return ret;
+}
+
+/**
+ * @brief bind the socket file description into the SSL
+ */
+int SSL_set_fd(SSL *ssl, int fd)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(fd >= 0);
+
+    SSL_METHOD_CALL(set_fd, ssl, fd, 0);
+
+    return 1;
+}
+
+/**
+ * @brief bind the read only socket file description into the SSL
+ */
+int SSL_set_rfd(SSL *ssl, int fd)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(fd >= 0);
+
+    SSL_METHOD_CALL(set_fd, ssl, fd, 0);
+
+    return 1;
+}
+
+/**
+ * @brief bind the write only socket file description into the SSL
+ */
+int SSL_set_wfd(SSL *ssl, int fd)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(fd >= 0);
+
+    SSL_METHOD_CALL(set_fd, ssl, fd, 0);
+
+    return 1;
+}
+
+/**
+ * @brief get SSL version
+ */
+int SSL_version(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->version;
+}
+
+/**
+ * @brief get the SSL version string
+ */
+static const char* ssl_protocol_to_string(int version)
+{
+    const char *str;
+
+    if (version == TLS1_2_VERSION)
+        str = "TLSv1.2";
+    else if (version == TLS1_1_VERSION)
+        str = "TLSv1.1";
+    else if (version == TLS1_VERSION)
+        str = "TLSv1";
+    else if (version == SSL3_VERSION)
+        str = "SSLv3";
+    else
+        str = "unknown";
+
+    return str;
+}
+
+/**
+ * @brief get the SSL current version
+ */
+const char *SSL_get_version(const SSL *ssl)
+{
+    SSL_ASSERT2(ssl);
+
+    return ssl_protocol_to_string(SSL_version(ssl));
+}
+
+/**
+ * @brief get alert description string
+ */
+const char* SSL_alert_desc_string(int value)
+{
+    const char *str;
+
+    switch (value & 0xff)
+    {
+        case SSL3_AD_CLOSE_NOTIFY:
+            str = "CN";
+            break;
+        case SSL3_AD_UNEXPECTED_MESSAGE:
+            str = "UM";
+            break;
+        case SSL3_AD_BAD_RECORD_MAC:
+            str = "BM";
+            break;
+        case SSL3_AD_DECOMPRESSION_FAILURE:
+            str = "DF";
+            break;
+        case SSL3_AD_HANDSHAKE_FAILURE:
+            str = "HF";
+            break;
+        case SSL3_AD_NO_CERTIFICATE:
+            str = "NC";
+            break;
+        case SSL3_AD_BAD_CERTIFICATE:
+            str = "BC";
+            break;
+        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+            str = "UC";
+            break;
+        case SSL3_AD_CERTIFICATE_REVOKED:
+            str = "CR";
+            break;
+        case SSL3_AD_CERTIFICATE_EXPIRED:
+            str = "CE";
+            break;
+        case SSL3_AD_CERTIFICATE_UNKNOWN:
+            str = "CU";
+            break;
+        case SSL3_AD_ILLEGAL_PARAMETER:
+            str = "IP";
+            break;
+        case TLS1_AD_DECRYPTION_FAILED:
+            str = "DC";
+            break;
+        case TLS1_AD_RECORD_OVERFLOW:
+            str = "RO";
+            break;
+        case TLS1_AD_UNKNOWN_CA:
+            str = "CA";
+            break;
+        case TLS1_AD_ACCESS_DENIED:
+            str = "AD";
+            break;
+        case TLS1_AD_DECODE_ERROR:
+            str = "DE";
+            break;
+        case TLS1_AD_DECRYPT_ERROR:
+            str = "CY";
+            break;
+        case TLS1_AD_EXPORT_RESTRICTION:
+            str = "ER";
+            break;
+        case TLS1_AD_PROTOCOL_VERSION:
+            str = "PV";
+            break;
+        case TLS1_AD_INSUFFICIENT_SECURITY:
+            str = "IS";
+            break;
+        case TLS1_AD_INTERNAL_ERROR:
+            str = "IE";
+            break;
+        case TLS1_AD_USER_CANCELLED:
+            str = "US";
+            break;
+        case TLS1_AD_NO_RENEGOTIATION:
+            str = "NR";
+            break;
+        case TLS1_AD_UNSUPPORTED_EXTENSION:
+            str = "UE";
+            break;
+        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+            str = "CO";
+            break;
+        case TLS1_AD_UNRECOGNIZED_NAME:
+            str = "UN";
+            break;
+        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+            str = "BR";
+            break;
+        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+            str = "BH";
+            break;
+        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+            str = "UP";
+            break;
+        default:
+            str = "UK";
+            break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get alert description long string
+ */
+const char* SSL_alert_desc_string_long(int value)
+{
+    const char *str;
+
+    switch (value & 0xff)
+    {
+        case SSL3_AD_CLOSE_NOTIFY:
+            str = "close notify";
+            break;
+        case SSL3_AD_UNEXPECTED_MESSAGE:
+            str = "unexpected_message";
+            break;
+        case SSL3_AD_BAD_RECORD_MAC:
+            str = "bad record mac";
+            break;
+        case SSL3_AD_DECOMPRESSION_FAILURE:
+            str = "decompression failure";
+            break;
+        case SSL3_AD_HANDSHAKE_FAILURE:
+            str = "handshake failure";
+            break;
+        case SSL3_AD_NO_CERTIFICATE:
+            str = "no certificate";
+            break;
+        case SSL3_AD_BAD_CERTIFICATE:
+            str = "bad certificate";
+            break;
+        case SSL3_AD_UNSUPPORTED_CERTIFICATE:
+            str = "unsupported certificate";
+            break;
+        case SSL3_AD_CERTIFICATE_REVOKED:
+            str = "certificate revoked";
+            break;
+        case SSL3_AD_CERTIFICATE_EXPIRED:
+            str = "certificate expired";
+            break;
+        case SSL3_AD_CERTIFICATE_UNKNOWN:
+            str = "certificate unknown";
+            break;
+        case SSL3_AD_ILLEGAL_PARAMETER:
+            str = "illegal parameter";
+            break;
+        case TLS1_AD_DECRYPTION_FAILED:
+            str = "decryption failed";
+            break;
+        case TLS1_AD_RECORD_OVERFLOW:
+            str = "record overflow";
+            break;
+        case TLS1_AD_UNKNOWN_CA:
+            str = "unknown CA";
+            break;
+        case TLS1_AD_ACCESS_DENIED:
+            str = "access denied";
+            break;
+        case TLS1_AD_DECODE_ERROR:
+            str = "decode error";
+            break;
+        case TLS1_AD_DECRYPT_ERROR:
+            str = "decrypt error";
+            break;
+        case TLS1_AD_EXPORT_RESTRICTION:
+            str = "export restriction";
+            break;
+        case TLS1_AD_PROTOCOL_VERSION:
+            str = "protocol version";
+            break;
+        case TLS1_AD_INSUFFICIENT_SECURITY:
+            str = "insufficient security";
+            break;
+        case TLS1_AD_INTERNAL_ERROR:
+            str = "internal error";
+            break;
+        case TLS1_AD_USER_CANCELLED:
+            str = "user canceled";
+            break;
+        case TLS1_AD_NO_RENEGOTIATION:
+            str = "no renegotiation";
+            break;
+        case TLS1_AD_UNSUPPORTED_EXTENSION:
+            str = "unsupported extension";
+            break;
+        case TLS1_AD_CERTIFICATE_UNOBTAINABLE:
+            str = "certificate unobtainable";
+            break;
+        case TLS1_AD_UNRECOGNIZED_NAME:
+            str = "unrecognized name";
+            break;
+        case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
+            str = "bad certificate status response";
+            break;
+        case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:
+            str = "bad certificate hash value";
+            break;
+        case TLS1_AD_UNKNOWN_PSK_IDENTITY:
+            str = "unknown PSK identity";
+            break;
+        default:
+            str = "unknown";
+            break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get alert type string
+ */
+const char *SSL_alert_type_string(int value)
+{
+    const char *str;
+
+    switch (value >> 8)
+    {
+    case SSL3_AL_WARNING:
+        str = "W";
+        break;
+    case SSL3_AL_FATAL:
+        str = "F";
+        break;
+    default:
+        str = "U";
+        break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get alert type long string
+ */
+const char *SSL_alert_type_string_long(int value)
+{
+    const char *str;
+
+    switch (value >> 8)
+    {
+        case SSL3_AL_WARNING:
+            str = "warning";
+            break;
+        case SSL3_AL_FATAL:
+            str = "fatal";
+            break;
+        default:
+            str = "unknown";
+            break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get the state string where SSL is reading
+ */
+const char *SSL_rstate_string(SSL *ssl)
+{
+    const char *str;
+
+    SSL_ASSERT2(ssl);
+
+    switch (ssl->rlayer.rstate)
+    {
+        case SSL_ST_READ_HEADER:
+            str = "RH";
+            break;
+        case SSL_ST_READ_BODY:
+            str = "RB";
+            break;
+        case SSL_ST_READ_DONE:
+            str = "RD";
+            break;
+        default:
+            str = "unknown";
+            break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get the statement long string where SSL is reading
+ */
+const char *SSL_rstate_string_long(SSL *ssl)
+{
+    const char *str = "unknown";
+
+    SSL_ASSERT2(ssl);
+
+    switch (ssl->rlayer.rstate)
+    {
+        case SSL_ST_READ_HEADER:
+            str = "read header";
+            break;
+        case SSL_ST_READ_BODY:
+            str = "read body";
+            break;
+        case SSL_ST_READ_DONE:
+            str = "read done";
+            break;
+        default:
+            break;
+    }
+
+    return str;
+}
+
+/**
+ * @brief get SSL statement string
+ */
+char *SSL_state_string(const SSL *ssl)
+{
+    char *str = "UNKWN ";
+
+    SSL_ASSERT2(ssl);
+
+    if (ossl_statem_in_error(ssl))
+        str = "SSLERR";
+    else
+    {
+        switch (SSL_get_state(ssl))
+        {
+            case TLS_ST_BEFORE:
+                str = "PINIT ";
+                break;
+            case TLS_ST_OK:
+                str =  "SSLOK ";
+                break;
+            case TLS_ST_CW_CLNT_HELLO:
+                str = "TWCH";
+                break;
+            case TLS_ST_CR_SRVR_HELLO:
+                str = "TRSH";
+                break;
+            case TLS_ST_CR_CERT:
+                str = "TRSC";
+                break;
+            case TLS_ST_CR_KEY_EXCH:
+                str = "TRSKE";
+                break;
+            case TLS_ST_CR_CERT_REQ:
+                str = "TRCR";
+                break;
+            case TLS_ST_CR_SRVR_DONE:
+                str = "TRSD";
+                break;
+            case TLS_ST_CW_CERT:
+                str = "TWCC";
+                break;
+            case TLS_ST_CW_KEY_EXCH:
+                str = "TWCKE";
+                break;
+            case TLS_ST_CW_CERT_VRFY:
+                str = "TWCV";
+                break;
+            case TLS_ST_SW_CHANGE:
+            case TLS_ST_CW_CHANGE:
+                str = "TWCCS";
+                break;
+            case TLS_ST_SW_FINISHED:
+            case TLS_ST_CW_FINISHED:
+                str = "TWFIN";
+                break;
+            case TLS_ST_SR_CHANGE:
+            case TLS_ST_CR_CHANGE:
+                str = "TRCCS";
+                break;
+            case TLS_ST_SR_FINISHED:
+            case TLS_ST_CR_FINISHED:
+                str = "TRFIN";
+                break;
+            case TLS_ST_SW_HELLO_REQ:
+                str = "TWHR";
+                break;
+            case TLS_ST_SR_CLNT_HELLO:
+                str = "TRCH";
+                break;
+            case TLS_ST_SW_SRVR_HELLO:
+                str = "TWSH";
+                break;
+            case TLS_ST_SW_CERT:
+                str = "TWSC";
+                break;
+            case TLS_ST_SW_KEY_EXCH:
+                str = "TWSKE";
+                break;
+            case TLS_ST_SW_CERT_REQ:
+                str = "TWCR";
+                break;
+            case TLS_ST_SW_SRVR_DONE:
+                str = "TWSD";
+                break;
+            case TLS_ST_SR_CERT:
+                str = "TRCC";
+                break;
+            case TLS_ST_SR_KEY_EXCH:
+                str = "TRCKE";
+                break;
+            case TLS_ST_SR_CERT_VRFY:
+                str = "TRCV";
+                break;
+            case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
+                str = "DRCHV";
+                break;
+            case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
+                str = "DWCHV";
+                break;
+            default:
+                break;
+        }
+    }
+
+    return str;
+}
+
+/**
+ * @brief get SSL statement long string
+ */
+char *SSL_state_string_long(const SSL *ssl)
+{
+    char *str = "UNKWN ";
+
+    SSL_ASSERT2(ssl);
+
+    if (ossl_statem_in_error(ssl))
+        str = "SSLERR";
+    else
+    {
+        switch (SSL_get_state(ssl))
+        {
+            case TLS_ST_BEFORE:
+                str = "before SSL initialization";
+                break;
+            case TLS_ST_OK:
+                str = "SSL negotiation finished successfully";
+                break;
+            case TLS_ST_CW_CLNT_HELLO:
+                str = "SSLv3/TLS write client hello";
+                break;
+            case TLS_ST_CR_SRVR_HELLO:
+                str = "SSLv3/TLS read server hello";
+                break;
+            case TLS_ST_CR_CERT:
+                str = "SSLv3/TLS read server certificate";
+                break;
+            case TLS_ST_CR_KEY_EXCH:
+                str = "SSLv3/TLS read server key exchange";
+                break;
+            case TLS_ST_CR_CERT_REQ:
+                str = "SSLv3/TLS read server certificate request";
+                break;
+            case TLS_ST_CR_SESSION_TICKET:
+                str = "SSLv3/TLS read server session ticket";
+                break;
+            case TLS_ST_CR_SRVR_DONE:
+                str = "SSLv3/TLS read server done";
+                break;
+            case TLS_ST_CW_CERT:
+                str = "SSLv3/TLS write client certificate";
+                break;
+            case TLS_ST_CW_KEY_EXCH:
+                str = "SSLv3/TLS write client key exchange";
+                break;
+            case TLS_ST_CW_CERT_VRFY:
+                str = "SSLv3/TLS write certificate verify";
+                break;
+            case TLS_ST_CW_CHANGE:
+            case TLS_ST_SW_CHANGE:
+                str = "SSLv3/TLS write change cipher spec";
+                break;
+            case TLS_ST_CW_FINISHED:
+            case TLS_ST_SW_FINISHED:
+                str = "SSLv3/TLS write finished";
+                break;
+            case TLS_ST_CR_CHANGE:
+            case TLS_ST_SR_CHANGE:
+                str = "SSLv3/TLS read change cipher spec";
+                break;
+            case TLS_ST_CR_FINISHED:
+            case TLS_ST_SR_FINISHED:
+                str = "SSLv3/TLS read finished";
+                break;
+            case TLS_ST_SR_CLNT_HELLO:
+                str = "SSLv3/TLS read client hello";
+                break;
+            case TLS_ST_SW_HELLO_REQ:
+                str = "SSLv3/TLS write hello request";
+                break;
+            case TLS_ST_SW_SRVR_HELLO:
+                str = "SSLv3/TLS write server hello";
+                break;
+            case TLS_ST_SW_CERT:
+                str = "SSLv3/TLS write certificate";
+                break;
+            case TLS_ST_SW_KEY_EXCH:
+                str = "SSLv3/TLS write key exchange";
+                break;
+            case TLS_ST_SW_CERT_REQ:
+                str = "SSLv3/TLS write certificate request";
+                break;
+            case TLS_ST_SW_SESSION_TICKET:
+                str = "SSLv3/TLS write session ticket";
+                break;
+            case TLS_ST_SW_SRVR_DONE:
+                str = "SSLv3/TLS write server done";
+                break;
+            case TLS_ST_SR_CERT:
+                str = "SSLv3/TLS read client certificate";
+                break;
+            case TLS_ST_SR_KEY_EXCH:
+                str = "SSLv3/TLS read client key exchange";
+                break;
+            case TLS_ST_SR_CERT_VRFY:
+                str = "SSLv3/TLS read certificate verify";
+                break;
+            case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
+                str = "DTLS1 read hello verify request";
+                break;
+            case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
+                str = "DTLS1 write hello verify request";
+                break;
+            default:
+                break;
+        }
+    }
+
+    return str;
+}
+
+/**
+ * @brief set the SSL context read buffer length
+ */
+void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
+{
+    SSL_ASSERT3(ctx);
+
+    ctx->read_buffer_len = len;
+}
+
+/**
+ * @brief set the SSL read buffer length
+ */
+void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
+{
+    SSL_ASSERT3(ssl);
+    SSL_ASSERT3(len);
+
+    SSL_METHOD_CALL(set_bufflen, ssl, len);
+}
+
+/**
+ * @brief set the SSL information callback function
+ */
+void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val))
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->info_callback = cb;
+}
+
+/**
+ * @brief add SSL context reference count by '1'
+ */
+int SSL_CTX_up_ref(SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    /**
+     * no support multi-thread SSL here
+     */
+    ctx->references++;
+
+    return 1;
+}
+
+/**
+ * @brief set the SSL security level
+ */
+void SSL_set_security_level(SSL *ssl, int level)
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->cert->sec_level = level;
+}
+
+/**
+ * @brief get the SSL security level
+ */
+int SSL_get_security_level(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->cert->sec_level;
+}
+
+/**
+ * @brief get the SSL verifying mode of the SSL context
+ */
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->verify_mode;
+}
+
+/**
+ * @brief set the session timeout time
+ */
+long SSL_CTX_set_timeout(SSL_CTX *ctx, long t)
+{
+    long l;
+
+    SSL_ASSERT1(ctx);
+
+    l = ctx->session_timeout;
+    ctx->session_timeout = t;
+
+    return l;
+}
+
+/**
+ * @brief get the session timeout time
+ */
+long SSL_CTX_get_timeout(const SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->session_timeout;
+}
+
+/**
+ * @brief set the SSL if we can read as many as data
+ */
+void SSL_set_read_ahead(SSL *ssl, int yes)
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->rlayer.read_ahead = yes;
+}
+
+/**
+ * @brief set the SSL context if we can read as many as data
+ */
+void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes)
+{
+    SSL_ASSERT3(ctx);
+
+    ctx->read_ahead = yes;
+}
+
+/**
+ * @brief get the SSL ahead signal if we can read as many as data
+ */
+int SSL_get_read_ahead(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->rlayer.read_ahead;
+}
+
+/**
+ * @brief get the SSL context ahead signal if we can read as many as data
+ */
+long SSL_CTX_get_read_ahead(SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->read_ahead;
+}
+
+/**
+ * @brief check if the SSL context can read as many as data
+ */
+long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->read_ahead;
+}
+
+/**
+ * @brief set SSL session time
+ */
+long SSL_set_time(SSL *ssl, long t)
+{
+    SSL_ASSERT1(ssl);
+
+    ssl->session->time = t;
+
+    return t;
+}
+
+/**
+ * @brief set SSL session timeout time
+ */
+long SSL_set_timeout(SSL *ssl, long t)
+{
+    SSL_ASSERT1(ssl);
+
+    ssl->session->timeout = t;
+
+    return t;
+}
+
+/**
+ * @brief get the verifying result of the SSL certification
+ */
+long SSL_get_verify_result(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return SSL_METHOD_CALL(get_verify_result, ssl);
+}
+
+/**
+ * @brief get the SSL verifying depth of the SSL context
+ */
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx)
+{
+    SSL_ASSERT1(ctx);
+
+    return ctx->param.depth;
+}
+
+/**
+ * @brief set the SSL verify depth of the SSL context
+ */
+void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth)
+{
+    SSL_ASSERT3(ctx);
+
+    ctx->param.depth = depth;
+}
+
+/**
+ * @brief get the SSL verifying depth of the SSL
+ */
+int SSL_get_verify_depth(const SSL *ssl)
+{
+    SSL_ASSERT1(ssl);
+
+    return ssl->param.depth;
+}
+
+/**
+ * @brief set the SSL verify depth of the SSL
+ */
+void SSL_set_verify_depth(SSL *ssl, int depth)
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->param.depth = depth;
+}
+
+/**
+ * @brief set the SSL context verifying of the SSL context
+ */
+void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
+{
+    SSL_ASSERT3(ctx);
+
+    ctx->verify_mode = mode;
+    ctx->default_verify_callback = verify_callback;
+}
+
+/**
+ * @brief set the SSL verifying of the SSL context
+ */
+void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
+{
+    SSL_ASSERT3(ssl);
+
+    ssl->verify_mode = mode;
+    ssl->verify_callback = verify_callback;
+}
diff --git a/third_party/openssl/library/ssl_methods.c b/third_party/openssl/library/ssl_methods.c
new file mode 100644
index 00000000..00023608
--- /dev/null
+++ b/third_party/openssl/library/ssl_methods.c
@@ -0,0 +1,81 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_methods.h"
+#include "ssl_pm.h"
+
+/**
+ * TLS method function collection
+ */
+IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
+        ssl_pm_new, ssl_pm_free,
+        ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear,
+        ssl_pm_read, ssl_pm_send, ssl_pm_pending,
+        ssl_pm_set_fd, ssl_pm_get_fd,
+        ssl_pm_set_bufflen,
+        ssl_pm_get_verify_result,
+        ssl_pm_get_state);
+
+/**
+ * TLS or SSL client method collection
+ */
+IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 0, TLS_method_func, TLS_client_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 0, TLS_method_func, TLSv1_2_client_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 0, TLS_method_func, TLSv1_1_client_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_client_method);
+
+IMPLEMENT_SSL_METHOD(SSL3_VERSION, 0, TLS_method_func, SSLv3_client_method);
+
+/**
+ * TLS or SSL server method collection
+ */
+IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, 1, TLS_method_func, TLS_server_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 1, TLS_method_func, TLSv1_1_server_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 1, TLS_method_func, TLSv1_2_server_method);
+
+IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_server_method);
+
+IMPLEMENT_SSL_METHOD(SSL3_VERSION, 1, TLS_method_func, SSLv3_server_method);
+
+/**
+ * TLS or SSL method collection
+ */
+IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, -1, TLS_method_func, TLS_method);
+
+IMPLEMENT_SSL_METHOD(TLS1_2_VERSION, -1, TLS_method_func, TLSv1_2_method);
+
+IMPLEMENT_SSL_METHOD(TLS1_1_VERSION, -1, TLS_method_func, TLSv1_1_method);
+
+IMPLEMENT_SSL_METHOD(TLS1_VERSION, -1, TLS_method_func, TLSv1_method);
+
+IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method);
+
+/**
+ * @brief get X509 object method
+ */
+IMPLEMENT_X509_METHOD(X509_method,
+            x509_pm_new, x509_pm_free,
+            x509_pm_load, x509_pm_show_info);
+
+/**
+ * @brief get private key object method
+ */
+IMPLEMENT_PKEY_METHOD(EVP_PKEY_method,
+            pkey_pm_new, pkey_pm_free,
+            pkey_pm_load);
diff --git a/third_party/openssl/library/ssl_pkey.c b/third_party/openssl/library/ssl_pkey.c
new file mode 100755
index 00000000..567a33e2
--- /dev/null
+++ b/third_party/openssl/library/ssl_pkey.c
@@ -0,0 +1,239 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_pkey.h"
+#include "ssl_methods.h"
+#include "ssl_dbg.h"
+#include "ssl_port.h"
+
+/**
+ * @brief create a private key object according to input private key
+ */
+EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk)
+{
+    int ret;
+    EVP_PKEY *pkey;
+
+    pkey = ssl_mem_zalloc(sizeof(EVP_PKEY));
+    if (!pkey) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "no enough memory > (pkey)");
+        goto no_mem;
+    }
+
+    if (ipk) {
+        pkey->method = ipk->method;
+    } else {
+        pkey->method = EVP_PKEY_method();
+    }
+
+    ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk);
+    if (ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret);
+        goto failed;
+    }
+
+    return pkey;
+
+failed:
+    ssl_mem_free(pkey);
+no_mem:
+    return NULL;
+}
+
+/**
+ * @brief create a private key object
+ */
+EVP_PKEY* EVP_PKEY_new(void)
+{
+    return __EVP_PKEY_new(NULL);
+}
+
+/**
+ * @brief free a private key object
+ */
+void EVP_PKEY_free(EVP_PKEY *pkey)
+{
+    SSL_ASSERT3(pkey);
+
+    EVP_PKEY_METHOD_CALL(free, pkey);
+
+    ssl_mem_free(pkey);
+}
+
+/**
+ * @brief load a character key context into system context. If '*a' is pointed to the
+ *        private key, then load key into it. Or create a new private key object
+ */
+EVP_PKEY *d2i_PrivateKey(int type,
+                         EVP_PKEY **a,
+                         const unsigned char **pp,
+                         long length)
+{
+    int m = 0;
+    int ret;
+    EVP_PKEY *pkey;
+
+    SSL_ASSERT2(pp);
+    SSL_ASSERT2(*pp);
+    SSL_ASSERT2(length);
+
+    if (a && *a) {
+        pkey = *a;
+    } else {
+        pkey = EVP_PKEY_new();;
+        if (!pkey) {
+            SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL");
+            goto failed1;
+        }
+
+        m = 1;
+    }
+
+    ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length);
+    if (ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(load) return %d", ret);
+        goto failed2;
+    }
+
+    if (a)
+        *a = pkey;
+
+    return pkey;
+
+failed2:
+    if (m)
+        EVP_PKEY_free(pkey);
+failed1:
+    return NULL;
+}
+
+/**
+ * @brief set the SSL context private key
+ */
+int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
+{
+    SSL_ASSERT1(ctx);
+    SSL_ASSERT1(pkey);
+
+    if (ctx->cert->pkey == pkey)
+        return 1;
+
+    if (ctx->cert->pkey)
+        EVP_PKEY_free(ctx->cert->pkey);
+
+    ctx->cert->pkey = pkey;
+
+    return 1;
+}
+
+/**
+ * @brief set the SSL private key
+ */
+int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(pkey);
+
+    if (ssl->cert->pkey == pkey)
+        return 1;
+
+    if (ssl->cert->pkey)
+        EVP_PKEY_free(ssl->cert->pkey);
+
+    ssl->cert->pkey = pkey;
+
+    return 1;
+}
+
+/**
+ * @brief load private key into the SSL context
+ */
+int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
+                                const unsigned char *d, long len)
+{
+    int ret;
+    EVP_PKEY *pk;
+
+    pk = d2i_PrivateKey(0, NULL, &d, len);
+    if (!pk) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
+        goto failed1;
+    }
+
+    ret = SSL_CTX_use_PrivateKey(ctx, pk);
+    if (!ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_PrivateKey() return %d", ret);
+        goto failed2;
+    }
+
+    return 1;
+
+failed2:
+    EVP_PKEY_free(pk);
+failed1:
+    return 0;
+}
+
+/**
+ * @brief load private key into the SSL
+ */
+int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
+                                const unsigned char *d, long len)
+{
+    int ret;
+    EVP_PKEY *pk;
+
+    pk = d2i_PrivateKey(0, NULL, &d, len);
+    if (!pk) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL");
+        goto failed1;
+    }
+
+    ret = SSL_use_PrivateKey(ssl, pk);
+    if (!ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_PrivateKey() return %d", ret);
+        goto failed2;
+    }
+
+    return 1;
+
+failed2:
+    EVP_PKEY_free(pk);
+failed1:
+    return 0;
+}
+
+/**
+ * @brief load the private key file into SSL context
+ */
+int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
+{
+    return 0;
+}
+
+/**
+ * @brief load the private key file into SSL
+ */
+int SSL_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
+{
+    return 0;
+}
+
+/**
+ * @brief load the RSA ASN1 private key into SSL context
+ */
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len)
+{
+    return SSL_CTX_use_PrivateKey_ASN1(0, ctx, d, len);
+}
diff --git a/third_party/openssl/library/ssl_stack.c b/third_party/openssl/library/ssl_stack.c
new file mode 100644
index 00000000..da836daf
--- /dev/null
+++ b/third_party/openssl/library/ssl_stack.c
@@ -0,0 +1,74 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_stack.h"
+#include "ssl_dbg.h"
+#include "ssl_port.h"
+
+#ifndef CONFIG_MIN_NODES
+    #define MIN_NODES 4
+#else
+    #define MIN_NODES CONFIG_MIN_NODES
+#endif
+
+/**
+ * @brief create a openssl stack object
+ */
+OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
+{
+    OPENSSL_STACK *stack;
+    char **data;
+
+    stack = ssl_mem_zalloc(sizeof(OPENSSL_STACK));
+    if (!stack) {
+        SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (stack)");
+        goto no_mem1;
+    }
+
+    data = ssl_mem_zalloc(sizeof(*data) * MIN_NODES);
+    if (!data) {
+        SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (data)");
+        goto no_mem2;
+    }
+
+    stack->data = data;
+    stack->num_alloc = MIN_NODES;
+    stack->c = c;
+
+    return stack;
+
+no_mem2:
+    ssl_mem_free(stack);
+no_mem1:
+    return NULL;
+}
+
+/**
+ * @brief create a NULL function openssl stack object
+ */
+OPENSSL_STACK *OPENSSL_sk_new_null(void)
+{
+    return OPENSSL_sk_new((OPENSSL_sk_compfunc)NULL);
+}
+
+/**
+ * @brief free openssl stack object
+ */
+void OPENSSL_sk_free(OPENSSL_STACK *stack)
+{
+    SSL_ASSERT3(stack);
+
+    ssl_mem_free(stack->data);
+    ssl_mem_free(stack);
+}
diff --git a/third_party/openssl/library/ssl_x509.c b/third_party/openssl/library/ssl_x509.c
new file mode 100755
index 00000000..ef0503c0
--- /dev/null
+++ b/third_party/openssl/library/ssl_x509.c
@@ -0,0 +1,285 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_x509.h"
+#include "ssl_methods.h"
+#include "ssl_dbg.h"
+#include "ssl_port.h"
+
+/**
+ * @brief show X509 certification information
+ */
+int __X509_show_info(X509 *x)
+{
+    return X509_METHOD_CALL(show_info, x);
+}
+
+/**
+ * @brief create a X509 certification object according to input X509 certification
+ */
+X509* __X509_new(X509 *ix)
+{
+    int ret;
+    X509 *x;
+
+    x = ssl_mem_zalloc(sizeof(X509));
+    if (!x) {
+        SSL_DEBUG(SSL_X509_ERROR_LEVEL, "no enough memory > (x)");
+        goto no_mem;
+    }
+
+    if (ix)
+        x->method = ix->method;
+    else
+        x->method = X509_method();
+
+    ret = X509_METHOD_CALL(new, x, ix);
+    if (ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(new) return %d", ret);
+        goto failed;
+    }
+
+    return x;
+
+failed:
+    ssl_mem_free(x);
+no_mem:
+    return NULL;
+}
+
+/**
+ * @brief create a X509 certification object
+ */
+X509* X509_new(void)
+{
+    return __X509_new(NULL);
+}
+
+/**
+ * @brief free a X509 certification object
+ */
+void X509_free(X509 *x)
+{
+    SSL_ASSERT3(x);
+
+    X509_METHOD_CALL(free, x);
+
+    ssl_mem_free(x);
+};
+
+/**
+ * @brief load a character certification context into system context. If '*cert' is pointed to the
+ *        certification, then load certification into it. Or create a new X509 certification object
+ */
+X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len)
+{
+    int m = 0;
+    int ret;
+    X509 *x;
+
+    SSL_ASSERT2(buffer);
+    SSL_ASSERT2(len);
+
+    if (cert && *cert) {
+        x = *cert;
+    } else {
+        x = X509_new();
+        if (!x) {
+            SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL");
+            goto failed1;
+        }
+        m = 1;
+    }
+
+    ret = X509_METHOD_CALL(load, x, buffer, len);
+    if (ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret);
+        goto failed2;
+    }
+
+    return x;
+
+failed2:
+    if (m)
+        X509_free(x);
+failed1:
+    return NULL;
+}
+
+/**
+ * @brief set SSL context client CA certification
+ */
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
+{
+    SSL_ASSERT1(ctx);
+    SSL_ASSERT1(x);
+
+    if (ctx->client_CA == x)
+        return 1;
+
+    X509_free(ctx->client_CA);
+
+    ctx->client_CA = x;
+
+    return 1;
+}
+
+/**
+ * @brief add CA client certification into the SSL
+ */
+int SSL_add_client_CA(SSL *ssl, X509 *x)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(x);
+
+    if (ssl->client_CA == x)
+        return 1;
+
+    X509_free(ssl->client_CA);
+
+    ssl->client_CA = x;
+
+    return 1;
+}
+
+/**
+ * @brief set the SSL context certification
+ */
+int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
+{
+    SSL_ASSERT1(ctx);
+    SSL_ASSERT1(x);
+
+    if (ctx->cert->x509 == x)
+        return 1;
+
+    X509_free(ctx->cert->x509);
+
+    ctx->cert->x509 = x;
+
+    return 1;
+}
+
+/**
+ * @brief set the SSL certification
+ */
+int SSL_use_certificate(SSL *ssl, X509 *x)
+{
+    SSL_ASSERT1(ssl);
+    SSL_ASSERT1(x);
+
+    if (ssl->cert->x509 == x)
+        return 1;
+
+    X509_free(ssl->cert->x509);
+
+    ssl->cert->x509 = x;
+
+    return 1;
+}
+
+/**
+ * @brief get the SSL certification point
+ */
+X509 *SSL_get_certificate(const SSL *ssl)
+{
+    SSL_ASSERT2(ssl);
+
+    return ssl->cert->x509;
+}
+
+/**
+ * @brief load certification into the SSL context
+ */
+int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
+                                 const unsigned char *d)
+{
+    int ret;
+    X509 *x;
+
+    x = d2i_X509(NULL, d, len);
+    if (!x) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
+        goto failed1;
+    }
+
+    ret = SSL_CTX_use_certificate(ctx, x);
+    if (!ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret);
+        goto failed2;
+    }
+
+    return 1;
+
+failed2:
+    X509_free(x);
+failed1:
+    return 0;
+}
+
+/**
+ * @brief load certification into the SSL
+ */
+int SSL_use_certificate_ASN1(SSL *ssl, int len,
+                             const unsigned char *d)
+{
+    int ret;
+    X509 *x;
+
+    x = d2i_X509(NULL, d, len);
+    if (!x) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
+        goto failed1;
+    }
+
+    ret = SSL_use_certificate(ssl, x);
+    if (!ret) {
+        SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_certificate() return %d", ret);
+        goto failed2;
+    }
+
+    return 1;
+
+failed2:
+    X509_free(x);
+failed1:
+    return 0;
+}
+
+/**
+ * @brief load the certification file into SSL context
+ */
+int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
+{
+    return 0;
+}
+
+/**
+ * @brief load the certification file into SSL
+ */
+int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
+{
+    return 0;
+}
+
+/**
+ * @brief get peer certification
+ */
+X509 *SSL_get_peer_certificate(const SSL *ssl)
+{
+    SSL_ASSERT2(ssl);
+
+    return ssl->session->peer;
+}
+
diff --git a/third_party/openssl/mbedtls_ssl.c b/third_party/openssl/mbedtls_ssl.c
deleted file mode 100644
index 31070e4b..00000000
--- a/third_party/openssl/mbedtls_ssl.c
+++ /dev/null
@@ -1,470 +0,0 @@
-/******************************************************************************
- * Copyright 2016-2017 Espressif Systems (Wuxi)
- *
- * FileName: ssc_mbedtls.c
- *
- * Description: SSC mbedtls command
- *
- * Modification history:
- *     2016/6/27,    create.    dongheng
- *******************************************************************************/
-#include "mbedtls_ssl.h"
-#include "ssl_debug.h"
-#include "ssl_ctx.h"
-
-
-/*******************************************************************************/
-struct ssl_verify {
-
-	mbedtls_x509_crt own_crt;
-
-	mbedtls_x509_crt ca_crt;
-
-	mbedtls_pk_context pk;
-};
-
-
-struct ssl_fd
-{
-	/* local socket file description */
-	mbedtls_net_context fd;
-	/* remote client socket file description */
-	mbedtls_net_context cl_fd;
-
-	mbedtls_ssl_config conf;
-
-	mbedtls_ctr_drbg_context ctr_drbg;
-
-	mbedtls_ssl_context ssl;
-
-	mbedtls_entropy_context entropy;
-};
-
-struct mbed_ssl
-{
-	struct ssl_fd   *ssl_fd;
-
-	struct ssl_ctx  *ssl_ctx;
-
-	struct ssl_verify *ssl_verify;
-
-	SSL_MUTEX_DEF(mutex);
-};
-
-
-#define SSL_CHECK_ENDIAN_MODE(ssl_fd, mode) (ssl_fd->conf.endpoint & mode)
-
-#define SSL_SEND_DATA_MAX_LENGTH 1460
-/*******************************************************************************/
-/*******************************************************************************/
-
-unsigned int max_content_len;
-
-/*******************************************************************************/
-/*******************************************************************************/
-
-LOCAL struct mbed_ssl* mbed_ssl_alloc(void)
-{
-	struct mbed_ssl *mbed_ssl;
-
-	mbed_ssl = (struct mbed_ssl *)ssl_mem_zalloc(sizeof(struct mbed_ssl));
-	if (!mbed_ssl) HANDLE_RET(go_failed1, "ssl_self_alloc:[1]\n");
-
-	mbed_ssl->ssl_fd = (struct ssl_fd *)ssl_mem_zalloc(sizeof(struct ssl_fd));
-	if (!mbed_ssl->ssl_fd) HANDLE_RET(go_failed2, "ssl_self_alloc:[2]\n");
-
-	mbed_ssl->ssl_verify = (struct ssl_verify *)ssl_mem_zalloc(sizeof(struct ssl_verify));
-	if (!mbed_ssl->ssl_verify) HANDLE_RET(go_failed3, "ssl_self_alloc:[3]\n");
-
-	return mbed_ssl;
-
-go_failed3:
-	ssl_mem_free(mbed_ssl->ssl_fd);
-go_failed2:
-	ssl_mem_free(mbed_ssl);
-go_failed1:
-	return NULL;
-}
-
-LOCAL void mbed_ssl_free(struct mbed_ssl *mbed_ssl)
-{
-	ssl_mem_free(mbed_ssl->ssl_verify);
-	ssl_mem_free(mbed_ssl->ssl_fd);
-	ssl_mem_free(mbed_ssl);
-}
-
-LOCAL int mbed_ssl_init(struct mbed_ssl *mbed_ssl, struct ssl_ctx *ssl_ctx)
-{
-	int ret;
-	int endpoint;
-	unsigned char *pers;
-
-	struct ssl_fd *ssl_fd = mbed_ssl->ssl_fd;
-	struct ssl_verify *ssl_verify = mbed_ssl->ssl_verify;
-
-	mbed_ssl->ssl_ctx = ssl_ctx;
-	SSL_MUTEX_INIT(&ssl_self->mutex);
-	max_content_len = 2048;
-
-	mbedtls_x509_crt_init(&ssl_verify->ca_crt);
-	mbedtls_x509_crt_init(&ssl_verify->own_crt);
-	mbedtls_pk_init(&ssl_verify->pk);
-
-	mbedtls_net_init(&ssl_fd->fd);
-	mbedtls_net_init(&ssl_fd->cl_fd);
-	mbedtls_ssl_config_init(&ssl_fd->conf);
-	mbedtls_ctr_drbg_init(&ssl_fd->ctr_drbg);
-	mbedtls_entropy_init(&ssl_fd->entropy);
-	mbedtls_ssl_init(&ssl_fd->ssl);
-
-	if (ssl_ctx->option & SSL_SERVER_VERIFY_LATER) {
-		pers = "server"; endpoint = MBEDTLS_SSL_IS_SERVER;
-	} else {
-		pers = "client"; endpoint = MBEDTLS_SSL_IS_CLIENT;
-	}
-
-	ret = mbedtls_ctr_drbg_seed(&ssl_fd->ctr_drbg, mbedtls_entropy_func, &ssl_fd->entropy, pers, strlen(pers));
-	if (ret) HANDLE_ERR(-4, failed4, "mbedtls_ctr_drbg_seed:[%d]\n", ret);
-
-	ret = mbedtls_ssl_config_defaults(&ssl_fd->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
-	if (ret) HANDLE_ERR(-5, failed5, "mbedtls_ssl_config_defaults:[%d]\n", ret);
-
-	mbedtls_ssl_conf_rng(&ssl_fd->conf, mbedtls_ctr_drbg_random, &ssl_fd->ctr_drbg);
-	mbedtls_ssl_conf_dbg(&ssl_fd->conf, NULL, NULL);
-	mbedtls_ssl_set_bio(&ssl_fd->ssl, &ssl_fd->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
-
-	if (SSL_CTX_VERIFY(ssl_ctx)) {
-		struct ssl_ctx_verify *ctx_verify = mbed_ssl->ssl_ctx->verify;
-
-		if (ctx_verify->ca_crt) {
-			ret = mbedtls_x509_crt_parse(&ssl_verify->ca_crt, ctx_verify->ca_crt, ctx_verify->ca_crt_len);
-			if (ret) HANDLE_ERR(-6, failed6, "mbedtls_x509_crt_parse:[CA]\n", ret);
-
-			mbedtls_ssl_conf_ca_chain(&ssl_fd->conf, &ssl_verify->ca_crt, NULL);
-			mbedtls_ssl_conf_authmode(&ssl_fd->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
-		}
-
-		if (ctx_verify->own_crt) {
-			ret = mbedtls_x509_crt_parse(&ssl_verify->own_crt, ctx_verify->own_crt, ctx_verify->own_crt_len);
-			if (ret) HANDLE_ERR(-7, failed7, "mbedtls_x509_crt_parse:[OWN]\n", ret);
-		}
-
-		if (ctx_verify->pk) {
-			ret = mbedtls_pk_parse_key(&ssl_verify->pk, ctx_verify->pk, ctx_verify->pk_len, NULL, 0);
-			if (ret) HANDLE_ERR(-8, failed8, "mbedtls_x509_crt_parse:[PK]\n", ret);
-
-			ret = mbedtls_ssl_conf_own_cert(&ssl_fd->conf, &ssl_verify->own_crt, &ssl_verify->pk);
-			if (ret) HANDLE_ERR(-9, failed9, "mbedtls_ssl_conf_own_cert:[%d]\n", ret);
-		}
-	} else {
-		mbedtls_ssl_conf_authmode(&ssl_fd->conf, MBEDTLS_SSL_VERIFY_NONE);
-	}
-
-	return 0;
-
-failed9:
-	mbedtls_pk_free(&ssl_verify->pk);
-failed8:
-	mbedtls_x509_crt_free(&ssl_verify->own_crt);
-failed7:
-	mbedtls_x509_crt_free(&ssl_verify->ca_crt);
-failed6:
-	mbedtls_ssl_config_free(&ssl_fd->conf);
-failed5:
-	mbedtls_ctr_drbg_free(&ssl_fd->ctr_drbg);
-failed4:
-failed3:
-failed2:
-	mbedtls_entropy_free(&ssl_fd->entropy);
-failed1:
-	return ret;
-}
-
-LOCAL void mbed_ssl_deinit(struct mbed_ssl *mbed_ssl)
-{
-	struct ssl_fd *ssl_fd = mbed_ssl->ssl_fd;
-	struct ssl_verify *ssl_verify = mbed_ssl->ssl_verify;
-
-	mbedtls_x509_crt_free(&ssl_verify->ca_crt);
-	mbedtls_x509_crt_free(&ssl_verify->own_crt);
-	mbedtls_pk_free(&ssl_verify->pk);
-
-	mbedtls_entropy_free(&ssl_fd->entropy);
-	mbedtls_ctr_drbg_free(&ssl_fd->ctr_drbg);
-	mbedtls_ssl_config_free(&ssl_fd->conf);
-	mbedtls_ssl_free(&ssl_fd->ssl);
-}
-
-LOCAL void mbed_ssl_disconnect(struct mbed_ssl *mbed_ssl)
-{
-	struct ssl_fd *ssl_fd = mbed_ssl->ssl_fd;
-
-	mbedtls_ssl_close_notify(&ssl_fd->ssl);
-}
-
-LOCAL int mbed_ssl_setup(struct mbed_ssl *mbed_ssl)
-{
-	int ret;
-	struct ssl_fd *ssl_fd = mbed_ssl->ssl_fd;
-
-	ret = mbedtls_ssl_setup(&ssl_fd->ssl, &ssl_fd->conf);
-	if (ret) HANDLE_ERR(-1, failed1, "mbedtls_ssl_setup:[%d]\n", ret);
-
-	return 0;
-
-failed1:
-	return ret;
-}
-
-/*******************************************************************************/
-/*******************************************************************************/
-
-int ssl_libary_init(void)
-{
-	return 0;
-}
-
-/*******************************************************************************/
-/*******************************************************************************/
-
-SSL* ssl_new(struct ssl_ctx *ssl_ctx)
-{
-	int ret;
-	struct mbed_ssl *mbed_ssl;
-
-	if (!ssl_ctx) HANDLE_ERR(-1, go_failed1, "ssl_new[1]\n");
-
-	mbed_ssl = mbed_ssl_alloc();
-	if (!mbed_ssl) HANDLE_ERR(-2, go_failed1, "ssc_soc_ssl_create\n");
-
-	ret = mbed_ssl_init(mbed_ssl, ssl_ctx);
-	if (ret) HANDLE_ERR(-3, go_failed2, "ssc_soc_ssl_init\n");
-
-	ret = mbed_ssl_setup(mbed_ssl);
-	if (ret) HANDLE_ERR(-4, go_failed3, "ssc_soc_ssl_setup\n");
-
-	return (SSL *)mbed_ssl;
-
-go_failed3:
-	mbed_ssl_deinit(mbed_ssl);
-go_failed2:
-	mbed_ssl_free(mbed_ssl);
-go_failed1:
-	return NULL;
-}
-
-int ssl_set_fd(SSL *ssl, int fd)
-{
-	int ret;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl) HANDLE_ERR(-1, go_failed1, "ssl_set_fd[1]\n");
-	if (fd < 0) HANDLE_ERR(-1, go_failed2, "ssl_set_fd[2]\n");
-
-	mbed_ssl->ssl_fd->fd.fd = fd;
-
-	return 0;
-
-go_failed2:
-go_failed1:
-	return ret;
-}
-
-int ssl_set_rfd(SSL *ssl, int fd)
-{
-	return ssl_set_fd(ssl, fd);
-}
-
-int ssl_set_wfd(SSL *ssl, int fd)
-{
-	return ssl_set_fd(ssl, fd);
-}
-
-int ssl_shutdown(SSL *ssl)
-{
-	int ret;
-	struct ssl_fd *ssl_fd;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl || !mbed_ssl->ssl_fd) HANDLE_ERR(-1, go_failed1, "ssl_shutdown\n");
-
-	ssl_fd = mbed_ssl->ssl_fd;
-	if (ssl_fd->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) return 0;
-
-	mbed_ssl_disconnect(mbed_ssl);
-
-	return 0;
-
-go_failed1:
-	return ret;
-}
-
-int ICACHE_FLASH_ATTR
-ssl_free(SSL *ssl)
-{
-	int ret;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl) HANDLE_ERR(-1, go_failed1, "ssl_free\n");
-
-	mbed_ssl_deinit(mbed_ssl);
-	mbed_ssl_free(mbed_ssl);
-
-	return 0;
-
-go_failed1:
-	return ret;
-}
-
-int ssl_connect(SSL *ssl)
-{
-	int ret;
-	struct ssl_fd *ssl_fd;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl) HANDLE_ERR(-1, go_failed1, "ssl_connect\n");
-
-	ssl_fd = mbed_ssl->ssl_fd;
-	while((ret = mbedtls_ssl_handshake(&ssl_fd->ssl)) != 0) {
-		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
-			HANDLE_ERR(-2, go_failed2, "mbedtls_ssl_handshake:[-0x%x]\n", -ret);
-		}
-	}
-
-	if (SSL_CHECK_ENDIAN_MODE(ssl_fd, MBEDTLS_SSL_IS_SERVER)) {
-		MBED_SSL_DEBUG(1, "server");
-	} else {
-		MBED_SSL_DEBUG(1, "client");
-	}
-
-	if (ssl_fd->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER) {
-		MBED_SSL_DEBUG(1, " handshake OK\n");
-	} else {
-		MBED_SSL_DEBUG(1, " handshake failed\n");
-	}
-
-	return 0;
-
-go_failed2:
-go_failed1:
-	return ret;
-}
-
-int ssl_accept(SSL *ssl)
-{
-	int ret;
-	struct ssl_fd *ssl_fd;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl) HANDLE_ERR(-1, go_failed1, "ssl_connect\n");
-
-	while((ret = mbedtls_ssl_handshake(&ssl_fd->ssl)) != 0) {
-		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
-			HANDLE_ERR(-2, go_failed2, "mbedtls_ssl_handshake\n");
-		}
-	}
-
-	if (SSL_CHECK_ENDIAN_MODE(ssl_fd, MBEDTLS_SSL_IS_SERVER)) {
-		MBED_SSL_DEBUG(1, "server");
-	} else {
-		MBED_SSL_DEBUG(1, "client");
-	}
-
-	if (ssl_fd->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER) {
-		MBED_SSL_DEBUG(1, " handshake OK\n");
-	} else {
-		MBED_SSL_DEBUG(1, " handshake failed\n");
-	}
-
-go_failed2:
-go_failed1:
-	return ret;
-}
-
-int ssl_read(SSL *ssl, void *buffer, int max_len)
-{
-	int ret;
-	struct ssl_fd *ssl_fd;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl || !mbed_ssl->ssl_fd) HANDLE_ERR(-1, go_failed1, "ssl_read\n");
-
-	ssl_fd = mbed_ssl->ssl_fd;
-	while((ret = mbedtls_ssl_read(&ssl_fd->ssl, buffer, max_len)) < 0) { //return = 0 >> EOF
-		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
-			HANDLE_ERR(-2, go_failed2, "ssl_read\n");
-		}
-	}
-
-	return ret;
-
-go_failed2:
-go_failed1:
-	return ret;
-}
-
-static int ssl_write_data(struct mbed_ssl *mbed_ssl, const char *buffer, int max_len)
-{
-	int ret;
-	struct ssl_fd *ssl_fd = mbed_ssl->ssl_fd;
-
-	if (!ssl_fd) HANDLE_ERR(-1, go_failed1, "ssl_write_data\n");
-
-	while((ret = mbedtls_ssl_write(&ssl_fd->ssl, buffer, max_len)) < 0) {
-		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
-			HANDLE_ERR(-2, go_failed2, "ssl_write\n");
-		}
-	}
-
-	return ret;
-
-go_failed2:
-go_failed1:
-	return ret;
-}
-
-int ssl_write(SSL *ssl, const void *buffer, int max_len)
-{
-	int ret;
-	int send_len = max_len;
-	const char *pbuf = (const char *)buffer;
-	struct mbed_ssl *mbed_ssl = (struct mbed_ssl *)ssl;
-
-	if (!mbed_ssl) return -1;
-
-	do {
-		int send_bytes;
-
-		if (send_len > SSL_SEND_DATA_MAX_LENGTH)
-			send_bytes = SSL_SEND_DATA_MAX_LENGTH;
-		else
-			send_bytes = send_len;
-
-		ret = ssl_write_data(mbed_ssl, pbuf, send_bytes);
-		if (ret > 0) {
-			pbuf += send_bytes;
-			send_len -= send_bytes;
-		}
-	} while (ret > 0 && send_len);
-
-	return ret;
-}
-
-int ssl_fragment_length_negotiation(SSL *ssl, unsigned int frag)
-{
-	if (frag < 2048 || frag > 8192) return -1;
-
-	max_content_len = frag;
-
-	return 0;
-
-go_failed1:
-	return -1;
-}
-
-int ssl_get_verify_result(SSL *ssl)
-{
-	return 0;
-}
-
-
diff --git a/third_party/openssl/platform/Makefile b/third_party/openssl/platform/Makefile
new file mode 100644
index 00000000..3fc3ed23
--- /dev/null
+++ b/third_party/openssl/platform/Makefile
@@ -0,0 +1,46 @@
+
+#############################################################
+# Required variables for each makefile
+# Discard this section from all parent makefiles
+# Expected variables (with automatic defaults):
+#   CSRCS (all "C" files in the dir)
+#   SUBDIRS (all subdirs with a Makefile)
+#   GEN_LIBS - list of libs to be generated ()
+#   GEN_IMAGES - list of images to be generated ()
+#   COMPONENTS_xxx - a list of libs/objs in the form
+#     subdir/lib to be extracted and rolled up into
+#     a generated lib/image xxx.a ()
+#
+ifndef PDIR
+
+GEN_LIBS = libplatform.a
+
+endif
+
+
+#############################################################
+# Configuration i.e. compile options etc.
+# Target specific stuff (defines etc.) goes in here!
+# Generally values applying to a tree are captured in the
+#   makefile at its root level - these are then overridden
+#   for a subtree within the makefile rooted therein
+#
+#DEFINES += 
+
+#############################################################
+# Recursion Magic - Don't touch this!!
+#
+# Each subtree potentially has an include directory
+#   corresponding to the common APIs applicable to modules
+#   rooted at that subtree. Accordingly, the INCLUDE PATH
+#   of a module can only contain the include directories up
+#   its parent path, and not its siblings
+#
+# Required for each makefile to inherit from the parent
+#
+
+INCLUDES := $(INCLUDES) -I $(PDIR)include
+INCLUDES += -I ./
+PDIR := ../$(PDIR)
+sinclude $(PDIR)Makefile
+
diff --git a/third_party/openssl/platform/ssl_pm.c b/third_party/openssl/platform/ssl_pm.c
new file mode 100644
index 00000000..74a0f4ff
--- /dev/null
+++ b/third_party/openssl/platform/ssl_pm.c
@@ -0,0 +1,667 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "ssl_pm.h"
+#include "ssl_port.h"
+#include "ssl_dbg.h"
+
+/* mbedtls include */
+#include "mbedtls/platform.h"
+#include "mbedtls/net.h"
+#include "mbedtls/debug.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/error.h"
+#include "mbedtls/certs.h"
+
+#define X509_INFO_STRING_LENGTH 3072
+#define OPENSSL_READ_BUFFER_LENGTH_MIN 2048
+#define OPENSSL_READ_BUFFER_LENGTH_MAX 8192
+
+struct ssl_pm
+{
+    /* local socket file description */
+    mbedtls_net_context fd;
+    /* remote client socket file description */
+    mbedtls_net_context cl_fd;
+
+    mbedtls_ssl_config conf;
+
+    mbedtls_ctr_drbg_context ctr_drbg;
+
+    mbedtls_ssl_context ssl;
+
+    mbedtls_entropy_context entropy;
+};
+
+struct x509_pm
+{
+    mbedtls_x509_crt *x509_crt;
+
+    mbedtls_x509_crt *ex_crt;
+};
+
+struct pkey_pm
+{
+    mbedtls_pk_context *pkey;
+
+    mbedtls_pk_context *ex_pkey;
+};
+
+unsigned int max_content_len;
+
+/*********************************************************************************************/
+/************************************ SSL arch interface *************************************/
+
+#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
+
+/* mbedtls debug level */
+#define MBEDTLS_DEBUG_LEVEL 4
+
+/**
+ * @brief mbedtls debug function
+ */
+static void ssl_platform_debug(void *ctx, int level,
+                     const char *file, int line,
+                     const char *str)
+{
+    /* Shorten 'file' from the whole file path to just the filename
+
+       This is a bit wasteful because the macros are compiled in with
+       the full _FILE_ path in each case.
+    */
+    char *file_sep = rindex(file, '/');
+    if(file_sep)
+        file = file_sep + 1;
+
+    SSL_DEBUG(SSL_DEBUG_ON, "%s:%d %s", file, line, str);
+}
+#endif
+
+/**
+ * @brief create SSL low-level object
+ */
+int ssl_pm_new(SSL *ssl)
+{
+    struct ssl_pm *ssl_pm;
+    int ret;
+
+    const unsigned char pers[] = "OpenSSL PM";
+    size_t pers_len = sizeof(pers);
+
+    int endpoint;
+    int version;
+
+    const SSL_METHOD *method = ssl->method;
+
+    if (ssl->ctx->read_buffer_len < OPENSSL_READ_BUFFER_LENGTH_MIN ||
+        ssl->ctx->read_buffer_len > OPENSSL_READ_BUFFER_LENGTH_MAX)
+        return -1;
+
+     ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
+    if (!ssl_pm) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
+        goto no_mem;
+    }
+
+    max_content_len = ssl->ctx->read_buffer_len;
+
+    mbedtls_net_init(&ssl_pm->fd);
+    mbedtls_net_init(&ssl_pm->cl_fd);
+
+    mbedtls_ssl_config_init(&ssl_pm->conf);
+    mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg);
+    mbedtls_entropy_init(&ssl_pm->entropy);
+    mbedtls_ssl_init(&ssl_pm->ssl);
+
+    ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
+        goto mbedtls_err1;
+    }
+
+    if (method->endpoint) {
+        endpoint = MBEDTLS_SSL_IS_SERVER;
+    } else {
+        endpoint = MBEDTLS_SSL_IS_CLIENT;
+    }
+    ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
+        goto mbedtls_err2;
+    }
+
+    if (TLS_ANY_VERSION != ssl->version) {
+        if (TLS1_2_VERSION == ssl->version)
+            version = MBEDTLS_SSL_MINOR_VERSION_3;
+        else if (TLS1_1_VERSION == ssl->version)
+            version = MBEDTLS_SSL_MINOR_VERSION_2;
+        else if (TLS1_VERSION == ssl->version)
+            version = MBEDTLS_SSL_MINOR_VERSION_1;
+        else
+            version = MBEDTLS_SSL_MINOR_VERSION_0;
+
+        mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
+        mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
+    } else {
+        mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
+        mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
+    }
+
+    mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
+
+#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
+    mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL);
+    mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
+#else
+    mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL);
+#endif
+
+    ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
+        goto mbedtls_err2;
+    }
+
+    mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
+
+    ssl->ssl_pm = ssl_pm;
+
+    return 0;
+
+mbedtls_err2:
+    mbedtls_ssl_config_free(&ssl_pm->conf);
+    mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
+mbedtls_err1:
+    mbedtls_entropy_free(&ssl_pm->entropy);
+    ssl_mem_free(ssl_pm);
+no_mem:
+    return -1;
+}
+
+/**
+ * @brief free SSL low-level object
+ */
+void ssl_pm_free(SSL *ssl)
+{
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
+    mbedtls_entropy_free(&ssl_pm->entropy);
+    mbedtls_ssl_config_free(&ssl_pm->conf);
+    mbedtls_ssl_free(&ssl_pm->ssl);
+
+    ssl_mem_free(ssl_pm);
+    ssl->ssl_pm = NULL;
+}
+
+/**
+ * @brief reload SSL low-level certification object
+ */
+static int ssl_pm_reload_crt(SSL *ssl)
+{
+    int ret;
+    int mode;
+    struct ssl_pm *ssl_pm = ssl->ssl_pm;
+    struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
+
+    struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
+    struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
+
+    if (ssl->verify_mode == SSL_VERIFY_PEER)
+        mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+    else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
+        mode = MBEDTLS_SSL_VERIFY_UNSET;
+    else
+        mode = MBEDTLS_SSL_VERIFY_NONE;
+
+    mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
+
+    if (ca_pm->x509_crt) {
+        mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
+    } else if (ca_pm->ex_crt) {
+        mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
+    }
+
+    if (crt_pm->x509_crt && pkey_pm->pkey) {
+        ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
+    } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
+        ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
+    } else {
+        ret = 0;
+    }
+
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
+        ret = -1;
+    }
+
+    return ret;
+}
+
+/*
+ * Perform the mbedtls SSL handshake instead of mbedtls_ssl_handshake.
+ * We can add debug here.
+ */
+static int mbedtls_handshake( mbedtls_ssl_context *ssl )
+{
+    int ret = 0;
+
+    while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
+        ret = mbedtls_ssl_handshake_step(ssl);
+
+        SSL_DEBUG(SSL_PLATFORM_DEBUG_LEVEL, "ssl ret %d state %d", ret, ssl->state);
+
+        if (ret != 0)
+            break;
+    }
+
+    return ret;
+}
+
+int ssl_pm_handshake(SSL *ssl)
+{
+    int ret;
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ret = ssl_pm_reload_crt(ssl);
+    if (ret)
+        return 0;
+
+    ssl_speed_up_enter();
+
+    while((ret = mbedtls_handshake(&ssl_pm->ssl)) != 0) {
+        if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
+           break;
+        }
+    }
+
+    ssl_speed_up_exit();
+
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -ret);
+        ret = 0;
+    } else {
+        struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
+
+        x509_pm->ex_crt = (mbedtls_x509_crt *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl);
+        ret = 1;
+    }
+
+    return ret;
+}
+
+int ssl_pm_shutdown(SSL *ssl)
+{
+    int ret;
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_close_notify() return -0x%x", -ret);
+        ret = -1;
+    } else {
+        struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
+
+        x509_pm->ex_crt = NULL;
+    }
+
+    return ret;
+}
+
+int ssl_pm_clear(SSL *ssl)
+{
+    return ssl_pm_shutdown(ssl);
+}
+
+
+int ssl_pm_read(SSL *ssl, void *buffer, int len)
+{
+    int ret;
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
+    if (ret < 0) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret);
+        ret = -1;
+    }
+
+    return ret;
+}
+
+int ssl_pm_send(SSL *ssl, const void *buffer, int len)
+{
+    int ret;
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
+    if (ret < 0) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
+        ret = -1;
+    }
+
+    return ret;
+}
+
+int ssl_pm_pending(const SSL *ssl)
+{
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    return mbedtls_ssl_get_bytes_avail(&ssl_pm->ssl);
+}
+
+void ssl_pm_set_fd(SSL *ssl, int fd, int mode)
+{
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ssl_pm->fd.fd = fd;
+}
+
+int ssl_pm_get_fd(const SSL *ssl, int mode)
+{
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    return ssl_pm->fd.fd;
+}
+
+OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)
+{
+    OSSL_HANDSHAKE_STATE state;
+
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    switch (ssl_pm->ssl.state)
+    {
+        case MBEDTLS_SSL_CLIENT_HELLO:
+            state = TLS_ST_CW_CLNT_HELLO;
+            break;
+        case MBEDTLS_SSL_SERVER_HELLO:
+            state = TLS_ST_SW_SRVR_HELLO;
+            break;
+        case MBEDTLS_SSL_SERVER_CERTIFICATE:
+            state = TLS_ST_SW_CERT;
+            break;
+        case MBEDTLS_SSL_SERVER_HELLO_DONE:
+            state = TLS_ST_SW_SRVR_DONE;
+            break;
+        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
+            state = TLS_ST_CW_KEY_EXCH;
+            break;
+        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
+            state = TLS_ST_CW_CHANGE;
+            break;
+        case MBEDTLS_SSL_CLIENT_FINISHED:
+            state = TLS_ST_CW_FINISHED;
+            break;
+        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
+            state = TLS_ST_SW_CHANGE;
+            break;
+        case MBEDTLS_SSL_SERVER_FINISHED:
+            state = TLS_ST_SW_FINISHED;
+            break;
+        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
+            state = TLS_ST_CW_CERT;
+            break;
+        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
+            state = TLS_ST_SR_KEY_EXCH;
+            break;
+        case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
+            state = TLS_ST_SW_SESSION_TICKET;
+            break;
+        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
+            state = TLS_ST_SW_CERT_REQ;
+            break;
+        case MBEDTLS_SSL_HANDSHAKE_OVER:
+            state = TLS_ST_OK;
+            break;
+        default :
+            state = TLS_ST_BEFORE;
+            break;
+    }
+
+    return state;
+}
+
+int x509_pm_show_info(X509 *x)
+{
+    int ret;
+    char *buf;
+    mbedtls_x509_crt *x509_crt;
+    struct x509_pm *x509_pm = x->x509_pm;
+
+    if (x509_pm->x509_crt)
+        x509_crt = x509_pm->x509_crt;
+    else if (x509_pm->ex_crt)
+        x509_crt = x509_pm->ex_crt;
+    else
+        x509_crt = NULL;
+
+    if (!x509_crt)
+        return -1;
+
+    buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH);
+    if (!buf) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)");
+        goto no_mem;
+    }
+
+    ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt);
+    if (ret <= 0) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret);
+        goto mbedtls_err1;
+    }
+
+    buf[ret] = 0;
+
+    ssl_mem_free(buf);
+
+    SSL_DEBUG(SSL_DEBUG_ON, "%s", buf);
+
+    return 0;
+
+mbedtls_err1:
+    ssl_mem_free(buf);
+no_mem:
+    return -1;
+}
+
+int x509_pm_new(X509 *x, X509 *m_x)
+{
+    struct x509_pm *x509_pm;
+
+    x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm));
+    if (!x509_pm) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)");
+        goto failed1;
+    }
+
+    x->x509_pm = x509_pm;
+
+    if (m_x) {
+        struct x509_pm *m_x509_pm = (struct x509_pm *)m_x->x509_pm;
+
+        x509_pm->ex_crt = m_x509_pm->x509_crt;
+    }
+
+    return 0;
+
+failed1:
+    return -1;
+}
+
+void x509_pm_free(X509 *x)
+{
+    struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
+
+    if (x509_pm->x509_crt) {
+        mbedtls_x509_crt_free(x509_pm->x509_crt);
+
+        ssl_mem_free(x509_pm->x509_crt);
+        x509_pm->x509_crt = NULL;
+    }
+
+    ssl_mem_free(x->x509_pm);
+    x->x509_pm = NULL;
+}
+
+int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
+{
+    int ret;
+    unsigned char *load_buf;
+    struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
+
+	if (x509_pm->x509_crt)
+        mbedtls_x509_crt_free(x509_pm->x509_crt);
+
+    if (!x509_pm->x509_crt) {
+        x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
+        if (!x509_pm->x509_crt) {
+            SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
+            goto no_mem;
+        }
+    }
+
+    load_buf = ssl_mem_malloc(len + 1);
+    if (!load_buf) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
+        goto failed;
+    }
+
+    ssl_memcpy(load_buf, buffer, len);
+    load_buf[len] = '\0';
+
+    mbedtls_x509_crt_init(x509_pm->x509_crt);
+
+    ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1);
+    ssl_mem_free(load_buf);
+
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_parse return -0x%x", -ret);
+        goto failed;
+    }
+
+    return 0;
+
+failed:
+    mbedtls_x509_crt_free(x509_pm->x509_crt);
+    ssl_mem_free(x509_pm->x509_crt);
+    x509_pm->x509_crt = NULL;
+no_mem:
+    return -1;
+}
+
+int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey)
+{
+    struct pkey_pm *pkey_pm;
+
+    pkey_pm = ssl_mem_zalloc(sizeof(struct pkey_pm));
+    if (!pkey_pm)
+        return -1;
+
+    pk->pkey_pm = pkey_pm;
+
+    if (m_pkey) {
+        struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm;
+
+        pkey_pm->ex_pkey = m_pkey_pm->pkey;
+    }
+
+    return 0;
+}
+
+void pkey_pm_free(EVP_PKEY *pk)
+{
+    struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
+
+    if (pkey_pm->pkey) {
+        mbedtls_pk_free(pkey_pm->pkey);
+
+        ssl_mem_free(pkey_pm->pkey);
+        pkey_pm->pkey = NULL;
+    }
+
+    ssl_mem_free(pk->pkey_pm);
+    pk->pkey_pm = NULL;
+}
+
+int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
+{
+    int ret;
+    unsigned char *load_buf;
+    struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
+
+    if (pkey_pm->pkey)
+        mbedtls_pk_free(pkey_pm->pkey);
+
+    if (!pkey_pm->pkey) {
+        pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context));
+        if (!pkey_pm->pkey) {
+            SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)");
+            goto no_mem;
+        }
+    }
+
+    load_buf = ssl_mem_malloc(len + 1);
+    if (!load_buf) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
+        goto failed;
+    }
+
+    ssl_memcpy(load_buf, buffer, len);
+    load_buf[len] = '\0';
+
+    mbedtls_pk_init(pkey_pm->pkey);
+
+    ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len + 1, NULL, 0);
+    ssl_mem_free(load_buf);
+
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret);
+        goto failed;
+    }
+
+    return 0;
+
+failed:
+    mbedtls_pk_free(pkey_pm->pkey);
+    ssl_mem_free(pkey_pm->pkey);
+    pkey_pm->pkey = NULL;
+no_mem:
+    return -1;
+}
+
+
+
+void ssl_pm_set_bufflen(SSL *ssl, int len)
+{
+    max_content_len = len;
+}
+
+long ssl_pm_get_verify_result(const SSL *ssl)
+{
+    long ret;
+    long verify_result;
+    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+
+    ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
+    if (ret) {
+        SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return -0x%x", -ret);
+        verify_result = X509_V_ERR_UNSPECIFIED;
+    } else
+        verify_result = X509_V_OK;
+
+    return verify_result;
+}
diff --git a/third_party/openssl/ssl_ctx.c b/third_party/openssl/ssl_ctx.c
deleted file mode 100644
index 139cd321..00000000
--- a/third_party/openssl/ssl_ctx.c
+++ /dev/null
@@ -1,180 +0,0 @@
-#include "ssl_ctx.h"
-#include "ssl_debug.h"
-
-
-#ifndef MBED_SSL_CRT_MAX_LENGTH
-	#define MBED_SSL_CRT_MAX_LENGTH (8 * 1024)
-#endif
-
-struct ssl_ctx* ssl_ctx_new(struct ssl_method *method)
-{
-	int ret;
-	struct ssl_ctx *ctx;
-	struct ssl_ctx_verify *verify;
-
-	//if (!method) HANDLE_ERR(-1, go_failed1, "ssl_ctx_new:method\n");
-
-	ctx = (struct ssl_ctx *)ssl_mem_zalloc(sizeof(struct ssl_ctx));
-	if (!ctx) HANDLE_ERR(-2, go_failed2, "ssl_ctx_new:ctx\n");
-
-	verify = (struct ssl_ctx_verify *)ssl_mem_zalloc(sizeof(struct ssl_ctx_verify));
-	if (!verify) HANDLE_ERR(-3, go_failed3, "ssl_ctx_new:verify\n");
-
-	ctx->verify = verify;
-
-	return ctx;
-
-go_failed3:
-	ssl_mem_free(ctx);
-go_failed2:
-go_failed1:
-	return SSL_NULL;
-}
-
-int ssl_ctx_set_verify(struct ssl_ctx *ctx, int mode,
-                       int (*cb)(int, struct x590_store_ctx *))
-{
-	struct ssl_ctx_verify *verify = ctx->verify;
-
-	verify->verify_mode = mode;
-	verify->verify_cb = cb;
-
-	return 0;
-}
-
-int ssl_ctx_load_verify(struct ssl_ctx *ctx, const char *CAfile, const char *CApath)
-{
-	return 0;
-}
-
-int ssl_ctx_use_certificate(struct ssl_ctx *ctx, const char *file, unsigned int size)
-{
-	return 0;
-}
-
-int ssl_ctx_use_privatekey(struct ssl_ctx *ctx, const char *file, unsigned int size)
-{
-	return 0;
-}
-
-int ssl_ctx_check_private_key(struct ssl_ctx *ctx)
-{
-	return 0;
-}
-
-LOCAL void ssl_ctx_verify_free(struct ssl_ctx_verify *ctx_verify)
-{
-	if (ctx_verify->ca_crt) ssl_mem_free(ctx_verify->ca_crt);
-	if (ctx_verify->own_crt) ssl_mem_free(ctx_verify->own_crt);
-	if (ctx_verify->pk) ssl_mem_free(ctx_verify->pk);
-
-	ssl_mem_free(ctx_verify);
-}
-
-void ssl_ctx_free(struct ssl_ctx *ctx)
-{
-	if (!ctx) return ;
-
-	ssl_ctx_verify_free(ctx->verify);
-	ssl_mem_free(ctx);
-}
-
-struct ssl_method* ssl_method_create(int mode, int ver)
-{
-	return SSL_NULL;
-}
-
-LOCAL char* ssl_ctx_malloc_crt(const char *buf, unsigned int len, unsigned int *act_len)
-{
-	int ret;
-	char *crt;
-
-	crt = (char *)ssl_mem_zalloc(len + 1);
-	if (!crt) HANDLE_ERR(-1, go_failed1, "ssl_ctx_malloc_crt\n");
-
-	ssl_memcpy(crt, buf, len);
-	crt[len] = '\0';
-	*act_len = len + 1;
-
-	return crt;
-
-go_failed1:
-	return NULL;
-}
-
-int ssl_obj_memory_load(struct ssl_ctx *ctx, int type, char *buf, unsigned int len , void *attr)
-{
-	int ret;
-	struct ssl_ctx_verify *verify;
-
-	if (!ctx || !ctx->verify || MBED_SSL_CRT_MAX_LENGTH < len) return -1;
-
-	verify = ctx->verify;
-	switch (type) {
-		case SSL_OBJ_X509_CACERT :
-		{
-			char *crt;
-			unsigned int crt_len;
-
-			crt = ssl_ctx_malloc_crt(buf, len, &crt_len);
-			if (!crt) HANDLE_ERR(-2, go_failed1, "ssl_obj_memory_load:CA\n");
-
-			verify->ca_crt = crt;
-			verify->ca_crt_len = crt_len;
-
-			ret = 0;
-
-			break;
-		}
-		case SSL_OBJ_X509_CERT :
-		{
-			char *crt;
-			unsigned int crt_len;
-
-			crt = ssl_ctx_malloc_crt(buf, len, &crt_len);
-			if (!crt) HANDLE_ERR(-3, go_failed1, "ssl_obj_memory_load:CA\n");
-
-			verify->own_crt = crt;
-			verify->own_crt_len = crt_len;
-
-			ret = 0;
-
-			break;
-		}
-
-		case SSL_OBJ_RSA_KEY :
-		{
-			char *crt;
-			unsigned int crt_len;
-
-			crt = ssl_ctx_malloc_crt(buf, len, &crt_len);
-			if (!crt) HANDLE_ERR(-4, go_failed1, "ssl_obj_memory_load:CA\n");
-
-			verify->pk = crt;
-			verify->pk_len = crt_len;
-
-			ret = 0;
-
-			break;
-		}
-
-		default :
-		{
-			ret = -2;
-
-			break;
-		}
-	}
-
-	return 0;
-
-go_failed1:
-	return ret;
-}
-
-int ssl_ctx_set_option(struct ssl_ctx *ctx, int opt)
-{
-	ctx->option = opt;
-
-	return 0;
-}